Defending Against CVE-2025-7741: Hardcoded Password Risk in Yokogawa CENTUM VP

Recent advisories from CISA (ICSA-26-092-02) have highlighted a critical vulnerability in Yokogawa’s CENTUM VP, a widely used Distributed Control System (DCS) in critical infrastructure sectors such as Energy, Critical Manufacturing, and Food and Agriculture.

The vulnerability, tracked as CVE-2025-7741, carries a CVSS v3 score of 4.0 (Medium) but poses a significant risk to operational environments due to the nature of the flaw: a hardcoded password for the privileged 'PROG' user account. While the CVSS score may seem moderate compared to remote code execution vulnerabilities, the impact on Industrial Control Systems (ICS) is severe. Successful exploitation allows an attacker to bypass authentication, log in as a high-privilege user, and modify system permissions, potentially disrupting physical processes.

For defenders, this highlights the importance of maintaining strict hygiene in OT environments and detecting anomalies in authentication behavior immediately.

Technical Analysis

Affected Products:

• CENTUM VP R5.01.00 and later
• CENTUM VP R6.01.00 and later
• CENTUM VP R7.01.00

Vulnerability Details:

• CVE ID: CVE-2025-7741
• Vulnerability Type: Use of Hard-coded Password (CWE-798)
• Affected Component: CENTUM Authentication Mode

The issue stems from the presence of a hardcoded password for the 'PROG' user account, which is used internally for CENTUM Authentication Mode. Under specific conditions, an attacker with network access to the system could utilize this hardcoded credential to authenticate. Once authenticated, the attacker gains the privileges associated with the PROG account, allowing them to modify permissions and potentially alter the configuration or operation of the industrial controller.

Severity: CVSS v3 Base Score: 4.0 (Medium) While the network attack complexity is high and privileges are low (pre-authentication), the impact on confidentiality, integrity, and availability is high within the context of the control system.

Defensive Monitoring

To protect your organization against this vulnerability, Security Arsenal recommends the following detection strategies. Since this involves a hardcoded credential, the most effective defensive posture involves monitoring for unusual login activity, specifically targeting the 'PROG' user, and verifying patch status across the environment.

SIGMA Rules

The following SIGMA rules are designed to be deployed in your SIEM to detect potential exploitation attempts or verify the vulnerability presence.

---
title: Potential Yokogawa CENTUM VP Hardcoded Credential Usage
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects authentication attempts or logins using the PROG account on Yokogawa CENTUM VP systems, which may indicate exploitation of CVE-2025-7741.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-02
author: Security Arsenal
date: 2025/02/17
tags:
  - attack.initial_access
  - attack.t1078.004
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\centum.exe'
    CommandLine|contains: 'PROG'
  condition: selection
falsepositives:
  - Legitimate administrative use of the PROG account by known engineers
level: high
---
title: Yokogawa CENTUM VP Unusual Network Login Activity
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects network connections to Yokogawa CENTUM VP engineering ports that may indicate brute force or hardcoded credential usage.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-02
author: Security Arsenal
date: 2025/02/17
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 2010
    Image|endswith: '\centum.exe'
  condition: selection
falsepositives:
  - Authorized remote engineering connections
level: medium

KQL Queries

For organizations using Microsoft Sentinel or Microsoft Defender for Identity, the following KQL queries can help identify suspicious activity related to the hardcoded credentials or validate patch levels.

// Identify authentication events involving the PROG account
SecurityEvent
| where EventID == 4624 or EventID == 4625
| where TargetUserName == "PROG"
| project TimeGenerated, Computer, TargetUserName, LogonType, IpAddress, SubjectUserName
| order by TimeGenerated desc

// Search for process execution related to CENTUM VP
DeviceProcessEvents
| where ProcessVersionInfoCompanyName contains "Yokogawa"
| where ProcessVersionInfoProductName contains "CENTUM"
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc

Velociraptor VQL

Velociraptor is an essential tool for endpoint hunting in OT environments. Use the following VQL artifacts to hunt for the presence of vulnerable CENTUM VP versions or signs of the PROG account being utilized in configuration files.

-- Hunt for specific versions of Yokogawa CENTUM VP executables
SELECT FullPath, Mtime, Size, Version.String
FROM glob(globs='C:\Program Files\YOKOGAWA\CENTUMVP\**\*.exe')
WHERE Version.String =~ 'R5.' OR Version.String =~ 'R6.' OR Version.String =~ 'R7.'

-- Search for configuration files referencing the PROG user
SELECT FullPath, Data
FROM glob(globs='C:\ProgramData\YOKOGAWA\CENTUMVP\**\*.ini')
WHERE Data =~ 'PROG' OR Data =~ 'Password'

PowerShell Script

Administrators can use the following PowerShell script to scan the network for instances of Yokogawa CENTUM VP and check specific file versions to determine vulnerability status.

<#
.SYNOPSIS
    Scan for vulnerable Yokogawa CENTUM VP versions.
.DESCRIPTION
    This script checks common installation paths for Yokogawa CENTUM VP and compares file versions against affected ranges (R5.01+, R6.01+, R7.01.00).
#>

$TargetPath = "C:\Program Files\YOKOGAWA\CENTUMVP"
$VulnerableVersions = @("R5.01.00", "R6.01.00", "R7.01.00")

if (Test-Path $TargetPath) {
    Write-Host "[+] Checking CENTUM VP installation at $TargetPath" -ForegroundColor Cyan
    
    $Files = Get-ChildItem -Path $TargetPath -Recurse -Filter "*.exe" -ErrorAction SilentlyContinue
    
    foreach ($File in $Files) {
        $VersionInfo = $File.VersionInfo
        $FileVersion = $VersionInfo.FileVersion
        $ProductName = $VersionInfo.ProductName
        
        if ($ProductName -like "*CENTUM*" -and $FileVersion) {
            Write-Host "Found: $($File.FullName) - Version: $FileVersion" -ForegroundColor Yellow
            
            # Basic logic to flag versions (Refine regex based on specific vendor string)
            if ($FileVersion -match "R5\.0" -or $FileVersion -match "R6\.0" -or $FileVersion -match "R7\.01") {
                Write-Host "[!] ALERT: Potentially vulnerable version detected!" -ForegroundColor Red
            }
        }
    }
} else {
    Write-Host "[-] CENTUM VP installation path not found." -ForegroundColor Gray
}

Remediation

Organizations utilizing Yokogawa CENTUM VP should immediately take the following steps to mitigate the risk posed by CVE-2025-7741:

1. Apply Patches: Yokogawa has released updates to address this vulnerability. Users are strongly encouraged to review the vendor’s security advisory and apply the necessary patches immediately. Ensure that the upgrade includes the removal or modification of the hardcoded 'PROG' credential.

2. Network Segmentation: Ensure that ICS networks are strictly segmented from the corporate IT network. The CENTUM VP systems should not be directly accessible from the internet. Utilize DMZs and firewalls to restrict access to engineering workstations only.

3. Review Account Permissions: Conduct a thorough audit of user accounts within the CENTUM environment. If the 'PROG' account is not required for operations, disable it or ensure its permissions are minimized until the patch is applied.

4. Monitor for Anomalies: Implement the detection rules provided above. Monitor specifically for successful logons using the 'PROG' account name from unfamiliar IP addresses or at unusual times.

5. Backup and Restore: Verify that recent backups of the HMI/SCADA configurations are available. In the event of a permission modification or configuration corruption due to exploitation, a clean restore will be the fastest path to recovery.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub