Security Experts:

Connect with us

Hi, what are you looking for?



Yokogawa Patches Flaws Allowing Disruption, Manipulation of Physical Processes

Japanese automation giant Yokogawa recently patched a series of vulnerabilities in control system products that, according to researchers, can be exploited for the disruption or manipulation of physical processes.

Japanese automation giant Yokogawa recently patched a series of vulnerabilities in control system products that, according to researchers, can be exploited for the disruption or manipulation of physical processes.

Researchers from industrial cybersecurity company Dragos have discovered a total of ten vulnerabilities in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems.

Yokogawa shared information about the security holes in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March.

The vulnerabilities are related to hardcoded credentials, path traversal, command injection, DLL hijacking, inappropriate access privileges, and uncontrolled resource consumption. The flaws, several of which have been assigned a “high severity” rating, can be exploited to access data, suppress alarms, overwrite or delete files, execute arbitrary commands, crash servers, and escalate privileges.

Exploitation of some vulnerabilities requires local access to the targeted system, while others can be exploited by sending specially crafted packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).

“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability specialist in Dragos’ Threat Operations Center, told SecurityWeek. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.”

Hanson said Dragos has no evidence of exploitation in the wild. However, in a real world attack, an attacker could exploit the vulnerabilities to take control of the HIS or render it useless by causing a DoS condition.

“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson said.

Learn more about vulnerabilities in industrial systems security at SecurityWeek’s ICS Cyber Security Conference 

Yokogawa has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached end of support, will not receive updates and customers have been advised to update to CENTUM VP. Additional information from the vendor is available in its advisory.

“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson explained. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).”

Dragos reported in February that 1,703 ICS/OT vulnerabilities were assigned a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the flaws analyzed by the company affected systems located deep within the industrial network.

Related: Severe Flaws Found in Yokogawa Switches, Control Systems

Related: Serious DoS Flaw Impacts Several Yokogawa Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.