Defenders in Critical Manufacturing and Energy sectors need to be on high alert following the release of a CISA advisory (ICSA-26-092-02) detailing a severe security flaw in Yokogawa CENTUM VP, a widely used Distributed Control System (DCS).
The vulnerability, tracked as CVE-2025-7741, involves the use of a hardcoded password for the PROG user account within the CENTUM Authentication Mode. Successful exploitation allows an attacker to bypass authentication, log in as a privileged user, and modify permissions. Given the role of CENTUM VP in industrial processes, this is not just an IT issue—it is a direct threat to operational safety and availability. While the CVSS v3 score is listed as 4.4, the potential impact on critical infrastructure necessitates immediate remediation.
Technical Analysis
Affected Products:
- Yokogawa CENTUM VP R5.01.00 and later
- Yokogawa CENTUM VP R6.01.00 and later
- Yokogawa CENTUM VP vR7.01.00
Vulnerability Details:
- CVE ID: CVE-2025-7741
- CWE: CWE-798 (Use of Hard-coded Credentials)
- Attack Vector: The vulnerability exists because the system contains a hardcoded password for the
PROGaccount. This account is specifically used for CENTUM Authentication Mode.
Attack Chain:
- Reconnaissance: An attacker scans for Yokogawa CENTUM VP interfaces exposed to the network, often via engineering workstations or exposed HMI/ICS ports.
- Exploitation: The attacker initiates an authentication request using the known hardcoded credential for the
PROGuser. - Privilege Escalation/Abuse: Upon successful login, the attacker gains the privileges associated with the
PROGaccount. - Impact: The attacker can modify permissions within the system, potentially disrupting process logic, altering safety thresholds, or causing denial-of-service conditions.
Exploitation Status: This is a documented vulnerability in a CISA advisory. While active exploitation in the wild has not been explicitly confirmed at the time of writing, the disclosure of a hardcoded credential significantly lowers the barrier for threat actors, making it highly likely to be incorporated into automated ICS-focused exploit tooling.
Detection & Response
Detecting the exploitation of hardcoded credentials requires monitoring for the specific usage of the compromised account (PROG) and subsequent administrative actions. In many OT environments, specific engineering workstations communicate with the controllers. Security teams must tightly correlate logon events with process execution.
SIGMA Rules
The following rules focus on detecting the authentication of the PROG user, which should be rare or non-existent in standard operations, and the execution of Yokogawa engineering tools.
---
title: Potential Yokogawa CENTUM VP Hardcoded Credential Usage
id: 8c4d2a1f-3e4b-4a5c-9f1d-2e3a4b5c6d7e
status: experimental
description: Detects successful logon events for the PROG user account associated with Yokogawa CENTUM VP hard-coded credentials (CVE-2025-7741).
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-02
author: Security Arsenal
date: 2025/02/26
tags:
- attack.initial_access
- attack.t1078
logsource:
product: windows
category: logon_success
detection:
selection:
TargetUserName|contains: 'PROG'
filter:
TargetUserName|contains: 'PROGRAM' # Filter generic noise if necessary, adjust based on environment
condition: selection and not filter
falsepositives:
- Legitimate engineering activities using the PROG account (if expected)
level: high
---
title: Yokogawa CENTUM VP Engineering Tool Execution
id: 9d5e3b2a-4f5c-5d6e-0e2f-3f4a5b6c7d8e
status: experimental
description: Detects execution of known Yokogawa CENTUM VP engineering tools (bkhcmd.exe) often used for system modifications. Monitor context of parent/child processes.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-02
author: Security Arsenal
date: 2025/02/26
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\bkhcmd.exe'
- '\BkHMi.exe'
condition: selection
falsepositives:
- Authorized configuration changes by system integrators
level: medium
KQL (Microsoft Sentinel / Defender)
This hunt query looks for successful logons by the PROG user, which should be investigated immediately in environments running Yokogawa software.
SecurityEvent
| where EventID == 4624
| where TargetUserName =~ "PROG"
| project TimeGenerated, Computer, TargetUserName, LogonType, IpAddress, WorkstationName
| extend LogonTypeMapping = case(
LogonType == 2, "Interactive",
LogonType == 3, "Network",
LogonType == 10, "RemoteInteractive",
"Other")
| order by TimeGenerated desc
Velociraptor VQL
Use this artifact to hunt for the presence of the specific Yokogawa executables and check for recent process activity on engineering workstations.
-- Hunt for Yokogawa CENTUM VP Engineering Processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'bkhcmd'
OR Name =~ 'BkHMi'
OR Name =~ 'CentumVP'
Remediation Script (PowerShell)
This script helps identify vulnerable installations of Yokogawa CENTUM VP on Windows-based engineering stations by checking file versions. Note: Actual remediation requires applying the vendor patch.
# Check for Yokogawa CENTUM VP Installations and Versions
# Requires Admin privileges to read Program Files
$centumPaths = @(
"C:\Program Files (x86)\YOKOGAWA\CENTUMVP",
"C:\Program Files\YOKOGAWA\CENTUMVP",
"D:\Program Files (x86)\YOKOGAWA\CENTUMVP"
)
$foundVulnerable = $false
foreach ($path in $centumPaths) {
if (Test-Path $path) {
Write-Host "[+] Found CENTUM VP installation at: $path" -ForegroundColor Cyan
# Common executable to check version
$exePath = Join-Path $path "System\CentumVP.exe"
if (Test-Path $exePath) {
$fileInfo = Get-Item $exePath
$version = $fileInfo.VersionInfo.FileVersion
Write-Host " Version detected: $version" -ForegroundColor Yellow
# Note: Version parsing logic depends on specific vendor mapping.
# CVE-2025-7741 affects >= R5.01.00, >= R6.01.00, vR7.01.00
# This script identifies presence; check version against vendor advisory.
Write-Host " Action: Verify this version against patch requirements for CVE-2025-7741." -ForegroundColor Red
$foundVulnerable = $true
}
}
}
if (-not $foundVulnerable) {
Write-Host "No standard Yokogawa CENTUM VP installations found in default paths." -ForegroundColor Green
}
Remediation
To mitigate CVE-2025-7741, defenders in the Critical Manufacturing and Energy sectors must take the following immediate steps:
- Apply Patches: Review the official Yokogawa advisory and CISA ICSA-26-092-02. Apply the vendor-provided updates that address the hardcoded password issue. Ensure you update to the latest patched versions specific to your release (R5, R6, or R7).
- Network Segmentation: Ensure that CENTUM VP engineering stations and controllers are not directly accessible from the internet or untrusted networks. Place them in a strictly controlled ICS zone behind a firewall.
- Disable Unused Accounts: If the
PROGaccount is not required for daily operations, verify if the patch allows disabling it or changing the credential to a strong, unique password post-patch. - Monitor for Anomalies: Implement the detection rules provided above to monitor for any suspicious usage of the
PROGaccount or engineering tools. - Review Access Logs: Conduct a retrospective review of Windows Security logs (Event ID 4624) on all HMI and Engineering Workstations for any previous logons by the
PROGaccount.
Official Advisory: CISA Advisory ICSA-26-092-02
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.