Critical Yokogawa CENTUM VP Flaws Expose Industrial Systems to Remote Attacks

Industrial control systems (ICS) form the nervous system of critical infrastructure, managing everything from power grids to manufacturing lines. A newly identified set of vulnerabilities in Yokogawa’s flagship Distributed Control System (DCS), CENTUM VP, has sent a ripple of concern through the operational technology (OT) community. These flaws allow attackers to disrupt operations or potentially execute malicious code without user authentication, simply by sending maliciously crafted packets to the network interface.

At Security Arsenal, we are analyzing these vulnerabilities to help Dallas-based energy and manufacturing firms assess their risk posture and respond effectively.

Vulnerability Analysis: The Vnet/IP Vector

The core of the issue lies in the Vnet/IP Interface Package for CENTUM VP versions R6 and R7. Vnet/IP is Yokogawa’s proprietary protocol for real-time control communication between stations. The vulnerabilities affect interface package versions R1.07.00 and earlier.

Six CVEs were disclosed, all sharing a similar attack vector: the reception of maliciously crafted network packets.

The Critical Remote Code Execution Flaw

The most severe issue is tracked as CVE-2025-1924 (CVSS 6.9, Medium).

• Vulnerability: Out-of-bounds Write (CWE-787).
• Impact: This flaw is the most dangerous because it allows for Arbitrary Code Execution (RCE). By sending specifically engineered packets, an attacker can corrupt memory in a way that allows them to run their own code on the controller.
• Context: While the attack vector is Adjacent (AV:A) and complexity is High (AC:H), successful exploitation bypasses the need for credentials (PR:N). In a flat OT network, an attacker with access to a single compromised workstation could pivot to critical control functions.

The Denial-of-Service (DoS) Cluster

The remaining five vulnerabilities (CVE-2025-48019, 48020, 48021, 48022, and 48023) all carry a CVSS score of 5.3 (Medium).

• Vulnerabilities: Reachable Assertion (CWE-617), Integer Underflow (CWE-191), and Improper Handling of Length Parameter (CWE-130).
• Impact: These flaws result in the termination of the Vnet/IP software stack process.
• Consequence: While less severe than RCE, the operational impact is immediate. Terminating the communication stack halts data exchange between the Human Interface Station (HIS) and Field Control Stations (FCS), effectively blinding operators and stopping automated control processes.

Threat Hunting and Detection

Detecting exploitation attempts for these specific vulnerabilities requires looking for network anomalies and process crashes within the OT environment. Since the attack relies on crafted packets, network intrusion detection systems (NIDS) and endpoint telemetry are crucial.

1. PowerShell Version Inventory

Security teams must first identify assets running the vulnerable interface package. The following PowerShell script scans the system for installed Yokogawa packages matching the vulnerable version ranges.

# Get-WmiObject is used for legacy compatibility on older OT servers (e.g., Server 2008/2012)
$vulnerablePackages = @("VP6C3300", "VP7C3300")

$results = @()

foreach ($pkg in $vulnerablePackages) {
    # Search for Win32_Product matching the package identifiers
    $installed = Get-WmiObject -Class Win32_Product | Where-Object { 
        $_.Name -like "*$pkg*" -or $_.IdentifyingNumber -like "*$pkg*" 
    }
    
    if ($installed) {
        foreach ($item in $installed) {
            # Check if version is less than or equal to R1.07.00 (Assuming standard version format)
            # Note: Adjust version string comparison logic based on actual vendor formatting
            if ($item.Version -le "1.07.00") {
                $results += [PSCustomObject]@{
                    ComputerName = $env:COMPUTERNAME
                    ProductName = $item.Name
                    Version = $item.Version
                    Status = "VULNERABLE"
                }
            }
        }
    }
}

if ($results) {
    $results | Format-Table -AutoSize
} else {
    Write-Host "No vulnerable Vnet/IP packages found matching the criteria."
}

2. KQL Query for Service Termination (Microsoft Sentinel)

The DoS vulnerabilities cause the software stack process to terminate. You can hunt for sudden stops of Yokogawa processes correlating with network activity.

// Hunt for Yokogawa process termination events
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ActionType == "ProcessTerminated" 
// Filter for common Yokogawa executable names or Vnet/IP processes
| where FileName has "Vnet" 
    or ProcessVersionInfoCompanyName contains "Yokogawa"
    or ProcessVersionInfoProductName contains "CENTUM"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessVersionInfoProductVersion
| order by Timestamp desc

3. Network Traffic Anomaly (Bash / Tcpdump snippet)

For deep packet inspection (DPI) environments or network forensics, monitoring for abnormal traffic patterns targeting Vnet/IP ports (typically TCP/12003, though configuration dependent) is advisable.

# Capture packets on common Vnet/IP ports (default 12003) with larger than usual payload sizes
# Note: Consult network documentation for specific port configurations in your environment.
tcpdump -i eth0 -nn -s 0 'tcp port 12003 and (len > 1500 or tcp[13] & 8 != 0)'

Mitigation and Remediation

Yokogawa has released a patch to address these critical flaws. Security Arsenal recommends the following immediate actions:

1. Apply Patch R1.08.00: The definitive remediation is to upgrade the Vnet/IP Interface Package to version R1.08.00. This update resolves all six CVEs listed above.

2. Strict Network Segmentation: Ensure that Vnet/IP control traffic is isolated from the corporate IT network. The vulnerability requires an attacker to be on the adjacent network. By segmenting networks and restricting access to Vnet/IP VLANs strictly to engineering workstations, you reduce the attack surface.

3. Review Firewall Rules: Verify that firewalls between the business network and the control zone deny all unnecessary traffic to the DCS, specifically blocking unauthorized access to Yokogawa-specific ports.

4. Contact Vendor Support: If patching is not immediately possible due to operational uptime requirements, contact Yokogawa support to evaluate interim mitigations as detailed in advisory YSAR-26-0002.

Conclusion

The convergence of IT and OT security necessitates a proactive stance. While no public exploitation has been recorded yet, the pre-requisite for attack (network adjacency) is common in many industrial facilities. Identifying vulnerable CENTUM VP instances and applying the R1.08.00 update should be a priority for all Site Reliability Engineers and OT Security Managers.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub