Yokogawa CENTUM VP R6, R7

Monitor6.9ICS-CERT ICSA-26-057-09Feb 26, 2026

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Yokogawa CENTUM VP R6 and R7 Vnet/IP Interface Packages (versions R1.07.00 and earlier) contain multiple memory corruption vulnerabilities (CWE-787 buffer overflow, CWE-617 null pointer dereference, CWE-191 integer underflow, CWE-130 improper length validation). These vulnerabilities allow an attacker with adjacent network access to terminate the software stack process, cause denial-of-service, or execute arbitrary code. The vulnerabilities are not remotely exploitable and have high attack complexity, but exploit no authentication and affect critical distributed control system functionality.

What this means

What could happen

An attacker with network access to the Vnet/IP Interface Package could terminate the CENTUM VP software process, causing loss of monitoring and control capabilities, or potentially execute arbitrary code with system privileges on the controller.

Who's at risk

Energy and manufacturing facilities operating Yokogawa CENTUM VP R6 and R7 distributed control systems (DCS) should prioritize this issue. Specifically, any site using the Vnet/IP Interface Package (product code VP6C3300 for R6, VP7C3300 for R7) for process automation, monitoring, and control is affected. This includes plants controlling critical infrastructure such as power generation, water treatment, oil refining, and chemical processing.

How it could be exploited

An attacker must be on the same network segment as the CENTUM VP system (AV:A indicates adjacent network) and craft a specific malformed network packet to trigger a buffer overflow or similar memory corruption condition in the Vnet/IP Interface Package. Due to high attack complexity, the attacker needs detailed knowledge of the software internals and careful packet construction.

Prerequisites

Network access to the same network segment as the CENTUM VP system (not remotely exploitable)
No authentication required
Knowledge of Vnet/IP Interface Package internals and ability to craft malformed packets
CENTUM VP R6 (VP6C3300) running Vnet/IP version R1.07.00 or earlier, OR CENTUM VP R7 (VP7C3300) running Vnet/IP version R1.07.00 or earlier

Low attack complexity to exploitNo authentication requiredAffects process control system (DCS)No patch available at time of advisoryDenial-of-service impact on critical operations

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300): <=R1.07.00≤ R1.07.00R1.08.00

Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300): <=R1.07.00≤ R1.07.00R1.08.00

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate CENTUM VP systems from business networks using firewalls and network segmentation to restrict access to the Vnet/IP Interface Package to trusted engineering workstations and control network only

HARDENINGImplement network access controls to ensure CENTUM VP systems are not accessible from the internet or untrusted networks

WORKAROUNDContact Yokogawa support at https://contact.yokogawa.com/cs/gw?c-id=000498 for clarification on patch availability and deployment timeline

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Yokogawa patch software R1.08.00 or later to Vnet/IP Interface Package for both CENTUM VP R6 and R7

CVEs (6)

CVE-2025-1924 CVE-2025-48019 CVE-2025-48020 CVE-2025-48021 CVE-2025-48022 CVE-2025-48023

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a3a62f28-dce5-4c4f-8549-04bb219abff1