CVE-2025-7741 Yokogawa CENTUM VP Hard-Coded Password: OT Security Risk Guide

Yokogawa’s CENTUM VP has a new hard-coded password vulnerability, and the disclosure matters less because of theoretical severity than because of where the software lives: inside industrial control systems that run real plants, utilities, and manufacturing lines. The issue, tracked as CVE-2025-7741, affects multiple CENTUM VP branches and can let an attacker log in as the PROG user under CENTUM Authentication Mode if they already have access to the HIS screen controls. CISA says exploitation is not remote and requires high attack complexity, but the advisory still lands as a meaningful reminder that authentication shortcuts in OT environments age badly even when the vendor rates practical impact as limited under default permissions. (vulners.com)

Background​

CENTUM VP is Yokogawa’s flagship distributed control system, and it sits in a class of software where reliability, patch timing, and change management matter as much as the code itself. The platform is widely deployed in critical manufacturing, energy, and food and agriculture, which is exactly why advisories against it deserve close reading rather than headline-only treatment. Yokogawa’s own product pages stress the system’s long lifecycle, industrial resilience, and modern support for newer releases such as R7.01.10, which underscores how much operational continuity is baked into the product strategy.
This is not the first time the CENTUM line has faced authentication-related security scrutiny. Prior advisories from Yokogawa and CISA have covered issues involving CENTUM Authentication Mode, credential handling, and the tradeoff between backward compatibility and stronger identity controls. In other words, the current vulnerability sits inside a broader pattern: legacy operational technology often preserves older trust models long after enterprise IT has moved on.
The immediate technical problem here is simple: the product contains a hard-coded password for the PROG account used by CENTUM Authentication Mode. If an attacker can satisfy the preconditions, they may log in as PROG and potentially change permissions. Yokogawa and CISA both emphasize that the account normally carries S1 permission, equivalent to OFFUSER, so the default risk is limited; however, if permissions have been altered, the impact can rise materially. (vulners.com)
That nuance matters. Security in industrial environments is often less about whether a vulnerability exists and more about whether the affected deployment has drifted from the vendor’s assumptions. A system that has been carefully permissioned and isolated behaves very differently from one that has accumulated exceptions, operator convenience settings, and remote-access workarounds over years of maintenance. The same flaw can therefore be low consequence in one plant and serious in another depending on local configuration and operational discipline. (tenable.com)

---

What the Advisory Says​

The CISA advisory for ICSA-26-092-02 republishes Yokogawa’s report and frames the issue as a use of hard-coded password flaw mapped to CWE-259. The affected versions listed are CENTUM VP R5.01.00 through R5.04.20, R6.01.00 through R6.12.00, and R7.01.00. The presence of a hard-coded credential in an OT authentication path is never ideal, but here the disclosure also makes clear that the exploit path is not a drive-by internet attack. (vulners.com)

Exploit Preconditions​

The most important detail is that exploitation requires access to the HIS screen controls. That means the attacker must already be close enough to interact with the human-machine interface or otherwise break into the interface through another method. CISA explicitly says the vulnerability is not remotely exploitable, and it describes the attack complexity as high, which sharply narrows the exposure surface relative to the kinds of flaws that dominate enterprise incident reports. (vulners.com)
This is why OT advisories often read differently from conventional IT advisories. The question is rarely, “Can someone on the internet trigger this?” The better question is, “What does this enable once an attacker is already in the room, already on the workstation, or already past perimeter defenses?” In that context, a hard-coded password can become a privilege-escalation hinge rather than a full standalone compromise. (tenable.com)
The vendor’s own framing is equally important. Yokogawa notes that the default PROG permission is equivalent to OFFUSER, so a properly permission-controlled deployment should see limited practical damage even if the credential is abused. But the advisory warns that if permissions have been changed for any reason, operations or configuration changes may be performed under those modified rights. That caveat turns a seemingly contained issue into a policy and configuration management issue. (tenable.com)

• The exploit is conditional, not universal.
• The attacker needs screen-control access first.
• Impact depends heavily on permission drift.
• Default rights are relatively constrained.
• Altered local permissions can magnify the effect.

Why the Conditions Matter​

In industrial systems, the attack path often starts with a compromised workstation, a stolen engineering laptop, or poor segmentation between business and control networks. Once that foothold exists, local user accounts and inherited authentication modes can become surprisingly powerful. The advisory is therefore less a story about password reuse and more a story about how local access plus legacy trust can escalate into operational control. (tenable.com)
That is one reason CISA’s recommended practices still read like a blueprint for basic OT hygiene: minimize network exposure, isolate control networks from business networks, and use VPNs with caution, because VPNs are only as secure as the devices behind them. Those recommendations are generic, but they line up well with the reality of this advisory. If screen-control access is required for exploitation, then reducing who can reach those screens is the first line of defense.

---

Product Scope and Affected Versions​

The version ranges are broad enough to matter to a significant installed base. Yokogawa identifies R5.01.00 to R5.04.20, R6.01.00 to R6.12.00, and R7.01.00 as affected, which means both mature deployments and newer branches need attention. The key implication is that security teams cannot assume that “newer equals safer” if the deployment remains on an affected branch. (vulners.com)

Release-Branch Implications​

The exposure also tells a story about product longevity. CENTUM VP spans multiple release families that remain operationally relevant, and that persistence is common in ICS. Plants do not upgrade control systems the way consumers update a browser, because change windows are expensive, validation is slow, and downtime can be extraordinarily costly. That makes secure-by-default design far more important than in ordinary desktop software.
Yokogawa’s public positioning around R7.01.10 emphasizes modern compatibility, cybersecurity reinforcement, and long-term sustainability. That marketing message is relevant because it suggests the vendor is actively trying to move customers toward more current baselines. Yet the existence of this vulnerability in R7.01.00 shows how even the newest lines can inherit older architectural assumptions during transition periods.
The product status in the advisory is also marked known_affected, which is the practical language buyers and operators care about. Once a product line is officially known to be affected, the burden shifts to the asset owner to determine whether mitigation, upgrade, or compensating control is the fastest safe path. In OT, that decision is often not purely technical; it is also procedural and contractual. (vulners.com)

• Affected branches span R5, R6, and R7.
• Newer releases do not automatically eliminate legacy authentication risk.
• Upgrade timing in OT is constrained by validation and downtime.
• Asset owners must map the vendor’s branch guidance to real plant schedules.

Enterprise vs. Consumer Reality​

Unlike consumer software, the impact of a flaw like this is rarely measured by individual account compromise. It is measured by whether a plant can continue to operate safely, whether operators can retain trustworthy visibility, and whether a malicious insider or intruder can influence a control workflow. That is why even a “medium” issue on paper can still deserve high-priority triage in a plant environment. (vulners.com)
For enterprise and industrial operators, the real question is not whether the CVSS label is dramatic enough. The question is whether the affected HIS stations are accessible, whether PROG permissions were customized, and whether the control network has the segmentation that Yokogawa and CISA assume. Those three questions often determine whether an advisory is merely informational or operationally urgent.

---

Vendor Remediation and Mitigation​

Yokogawa’s preferred mitigations differ by release branch. For R5.01.00 to R5.04.20 and R6.01.00 to R6.12.00, the vendor recommends changing the user authentication mode to Windows Authentication Mode. For R7.01.00, Yokogawa says to apply patch software R7.01.10. That split matters because it shows the vendor is balancing immediate remediation with architectural change. (vulners.com)

Why Windows Authentication Mode Is Not a Simple Toggle​

Yokogawa notes that changing to Windows Authentication Mode requires engineering work, and customers are told to contact the company directly if they want to make that change. That is a significant operational clue. It means the mitigation is not just a checkbox in a configuration panel; it can require validation, engineering review, and downtime planning. (vulners.com)
From a security standpoint, that is both good and bad. It is good because moving away from a legacy local-authentication path generally improves identity governance and makes password management more tractable. It is bad because any mitigation that needs engineering work becomes a scheduling problem, and scheduling problems tend to create temporary exposure while teams wait for a maintenance window. (vulners.com)
The vendor’s advisory, YSAR-26-0003, is the authoritative source for implementation details. In practice, that means customers should treat the CISA notice as the alerting layer and the Yokogawa advisory as the technical procedure. This is a common OT pattern: CISA publicizes the risk, but the product vendor owns the exact migration steps and the product-specific side effects. (vulners.com)

Operational Tradeoffs​

A useful way to think about the remediation path is in layers. Patching R7.01.00 may be straightforward for some sites but not others, while switching older branches to Windows Authentication Mode could deliver a longer-term security improvement but consume more engineering effort now. That means the “best” remediation is likely to differ by plant maturity, validation regime, and downtime tolerance. (vulners.com)

• Patch where a clean upgrade path exists.
• Reconfigure authentication where the engineering burden is acceptable.
• Segment networks while remediation is pending.
• Audit permissions on PROG and related operator accounts.
• Document exceptions so temporary risk does not become permanent.
• Validate change control before touching production systems.

---

Why This Vulnerability Matters to OT Security​

The obvious takeaway is that hard-coded passwords remain a bad idea, but the deeper lesson is more subtle: OT environments often preserve effective trust in ways that are invisible until a vulnerability appears. A user like PROG may seem harmless when default permissions are narrow, yet the advisory makes clear that permission changes can alter the impact substantially. That is how “low risk” becomes conditional risk in a live facility. (tenable.com)

The Role of Legacy Authentication​

Legacy authentication modes persist because they are convenient, familiar, and sometimes deeply embedded in process workflows. But convenience in OT often translates into a wider blast radius when something goes wrong. The fact that Yokogawa offers Windows Authentication Mode as a mitigation suggests the vendor itself sees the legacy mode as a long-term liability, even if it remains operationally necessary in some plants. (vulners.com)
The other issue is scope creep. Security teams may believe a local credential is only relevant to one workstation or one operator workflow, yet those accounts can touch permission changes, configuration adjustments, and monitoring functions. Once a credential is embedded in the operating model, the difference between “authenticated operator” and “privileged operator” becomes very thin. (tenable.com)
This is why CISA’s note about existing access to HIS controls is so important. The vulnerability may not create initial access, but it can become an elevation path inside a control-room compromise. That makes it highly relevant to defenders focused on lateral movement, insider misuse, and post-compromise privilege escalation. (tenable.com)

Comparison with Prior Yokogawa Issues​

Yokogawa has dealt with other CENTUM security issues in the past, including advisories that pushed customers toward Windows Authentication Mode or software updates. That history does not imply neglect; it does show the challenge of modernizing mature industrial platforms without breaking the operational guarantees customers depend on. The security bar is rising, but the cost of retrofitting a control stack is still high.

• OT systems often carry legacy trust assumptions.
• Authentication hardening can collide with downtime constraints.
• Permission changes can transform a mild issue into a serious one.
• Control-room access remains a meaningful security boundary.
• Historical advisories often foreshadow future architecture changes.

---

Attack Surface and Real-World Exposure​

The attack surface for CVE-2025-7741 is narrower than many enterprise vulnerabilities, but narrower does not mean harmless. CISA says the issue is not remotely exploitable, and the attacker must already be able to access the HIS screen controls. That means exposure depends heavily on local access, adjacent compromises, or weakly protected engineering workstations. (vulners.com)

What an Attacker Would Need​

At minimum, an attacker would need a way to obtain the hard-coded password using the “certain method” referenced in the advisory. They would also need a CENTUM HIS configured in CENTUM Authentication Mode and a way to perform screen operations on that host. In practice, that means the flaw is best understood as a privilege step inside a broader intrusion path rather than as a standalone break-in vector. (tenable.com)
That distinction changes how defenders should prioritize it. A flaw that requires local control-room access may not be a top concern on an internet-facing asset list, but it becomes very relevant in an OT environment where stolen credentials, remote support tooling, or physical access are realistic threat routes. The advisory itself effectively tells defenders where to look: at workstation protection, operator access, and identity assumptions. (vulners.com)
In many industrial incidents, the initial compromise is not the most dangerous part. The real danger comes when the attacker moves from one foothold to another, then starts altering permissions, disabling visibility, or changing logic under cover of legitimate interfaces. A hard-coded PROG password could help that transition if the surrounding controls are weak. (tenable.com)

Defensive Priorities​

Defenders should treat the HIS as a high-value asset, not just a convenience terminal. That means physical access control, workstation hardening, and strict separation from business-user environments are all part of the vulnerability response. The more the HIS can be treated as a controlled engineering endpoint, the lower the chance that the flaw becomes useful to an attacker.

• Restrict physical access to HIS stations.
• Harden engineering workstations and operator endpoints.
• Review remote access to plant networks.
• Enforce least privilege on user permissions.
• Monitor for unexpected auth-mode changes.
• Log and review operator-session anomalies.

---

CVSS, Severity, and How to Read the Numbers​

The scoring picture is unusually interesting. CISA’s page reflects a CVSS v3.1 base score of 4.0, labeled medium, while third-party vulnerability databases show different scoring interpretations and even a much higher legacy-style CVSS v3 value in some feeds. That kind of divergence is common when OT vendors provide contextual scoring based on constrained exploit conditions, while generic databases emphasize worst-case theoretical impact. (vulners.com)

Why Scores Diverge​

The discrepancy highlights a core problem in OT vulnerability management: numeric scores can mislead if they are detached from plant topology and permission state. A system with default permissions, isolation, and no remote access is not equivalent to a permissive, shared, loosely segmented deployment. The same CVE can therefore rank very differently depending on how an asset owner interprets the real-world preconditions. (tenable.com)
CISA’s narrative also helps explain why the score is not higher in practice. The exploit is local, the complexity is high, and the default permissions are limited. That combination lowers the practical likelihood of catastrophic misuse even though the underlying defect — a hard-coded password — would normally be considered a serious design flaw. (vulners.com)
This is a good example of why defenders should not let the score do all the thinking. The better approach is to use the score as a triage signal, then evaluate site-specific exposure, account privilege, and the feasibility of the attacker getting to the HIS in the first place. In OT, context is not an optional enhancement; it is the whole analysis. (vulners.com)

Practical Triage Checklist​

• Confirm whether the site uses CENTUM Authentication Mode.
• Check whether PROG permissions were modified from default.
• Determine whether HIS access is physically and logically restricted.
• Identify the exact CENTUM VP branch in use.
• Decide whether patching or auth-mode migration is the safer near-term action.

---

Strengths and Opportunities​

The good news is that the advisory does not point to a remote wormable condition or a flaw that instantly turns the internet into a threat surface for control systems. The vendor also provides a concrete mitigation path, including an update for the newest affected branch and a path toward stronger authentication for older branches. In practical terms, that makes this a manageable—but still important—industrial hygiene issue rather than a crisis.

• The attack is not remotely exploitable.
• Default PROG permissions limit the likely impact.
• Yokogawa provides branch-specific mitigation.
• A move to Windows Authentication Mode can improve identity control.
• The advisory gives defenders a clear triage starting point.
• The issue reinforces best practices around segmentation and least privilege.
• The vendor’s disclosure suggests a functioning responsible disclosure process.

Risks and Concerns​

The biggest concern is not the default configuration; it is the real-world drift that accumulates in industrial environments over time. If permissions were modified, if operator access is broader than intended, or if the HIS is reachable from poorly controlled networks, then a “low impact” flaw can become much more consequential. The other concern is timing: any mitigation requiring engineering work can be delayed by production constraints, leaving exposure in place longer than security teams would like.

• Permission drift can amplify the impact.
• HIS access can become a stepping stone for lateral movement.
• Change windows may delay remediation.
• Legacy authentication paths are inherently harder to secure.
• Remote-access exceptions can undermine segmentation.
• OT patching may be slower than attacker timelines.
• Misreading the advisory as “minor” could lead to under-prioritization.

---

Looking Ahead​

The most likely next phase is quiet operational remediation rather than a dramatic public incident. Owners of affected plants will need to inventory their CENTUM VP versions, inspect how PROG permissions are configured, and decide whether they can move to Windows Authentication Mode or whether a patch is the faster option. The real work will happen in engineering change boards, not in press releases.
The broader trend is also clear: industrial vendors are steadily being pushed toward stronger identity models, fewer embedded secrets, and better alignment with modern Windows-based controls. Yokogawa’s newer messaging around CENTUM VP R7.01.10 suggests the platform is moving in that direction, but old authentication modes and long-lived deployments do not disappear overnight. That gap between product ambition and field reality is where most OT risk lives.

• Inventory all CENTUM VP instances and versions.
• Verify whether CENTUM Authentication Mode is enabled.
• Audit whether PROG permissions differ from the default.
• Prioritize the R7.01.10 patch where applicable.
• Plan engineering work for any switch to Windows Authentication Mode.
• Tighten access to HIS screen controls and related endpoints.

The next few weeks will likely reveal whether this advisory is treated as a routine hardening task or as a prompt for broader identity cleanup across CENTUM environments. Either way, the lesson is durable: in industrial systems, a hard-coded password is never just a password. It is a marker of architectural debt, and in the wrong environment, architectural debt eventually becomes operational risk.

---

Source: CISA Yokogawa CENTUM VP | CISA