CISA Warns of Cleartext Data Leak in Yokogawa FAST/TOOLS and CI Server
CISA disclosed a high-severity vulnerability in Yokogawa's FAST/TOOLS and CI Server that leaks sensitive configuration data in cleartext, potentially aiding further attacks.
CISA has issued an advisory warning of a high-severity vulnerability affecting Yokogawa's FAST/TOOLS and Collaborative Information Server (CI Server) products. Tracked as CVE-2026-11833, the flaw allows an unauthenticated attacker to retrieve CI Server setting information in cleartext over the network. With a CVSS v3.1 base score of 7.5, the vulnerability is rated HIGH and could serve as a stepping stone for more sophisticated attacks against industrial control systems.
The vulnerability resides in the web server component of FAST/TOOLS versions R9.01 through R10.04 and CI Server versions R1.01 through R1.04. When exploited, the server returns a response containing the CI Server's configuration settings without any encryption. While the flaw does not directly allow code execution or system compromise, the leaked information—such as network topology, service credentials, or integration details—could enable an attacker to map the environment and plan follow-on exploits.
Yokogawa has released patches to address the issue. For FAST/TOOLS, users are advised to update to R10.04 and apply Service Pack 4 (R10.04 SP4). For CI Server, the recommended fix is to upgrade to version R1.05. The company detailed the mitigations in its security advisory YSAR-26-0004, which is available on Yokogawa's website. CISA also encourages organizations to follow defense-in-depth practices, including network segmentation and restricting ICS device exposure to the internet.
The affected products are deployed worldwide across critical manufacturing, energy, and food and agriculture sectors. Yokogawa, headquartered in Japan, is a major supplier of industrial automation and control systems. The broad deployment footprint means that unpatched systems could be targeted by adversaries seeking to gain a foothold in critical infrastructure environments.
As of the advisory's publication, CISA reports no known public exploitation of CVE-2026-11833. However, the agency emphasizes that the vulnerability's low attack complexity—requiring no privileges or user interaction—makes it an attractive target for threat actors. The flaw is classified under CWE-319 (Cleartext Transmission of Sensitive Information), a common weakness in legacy industrial protocols and web interfaces.
This advisory is part of a broader trend of vulnerabilities in industrial control systems that expose sensitive data in transit. Similar issues have been found in products from Siemens, Rockwell Automation, and other ICS vendors. Organizations using Yokogawa's software should prioritize patching, especially for systems that are network-accessible. CISA also recommends monitoring for anomalous network traffic that could indicate reconnaissance attempts targeting CI Server endpoints.