In the world of Industrial Control Systems (ICS), security is often stuck in a tug-of-war with “old-school” convenience.
For decades, hard-coded credentials, essentially permanent, unchangeable passwords baked into the software, were viewed as a vital safety net. The logic was simple: if an engineer forgot a password or there was a middle-of-the-night emergency, that “secret” backdoor ensured they could always get in to keep the plant running.
Fast forward to 2026, and that safety net has rotted. What was meant to be an emergency entrance has turned into a massive neon sign for hackers. These built-in backdoors are now the primary targets for local exploits. Once an attacker gets a foot in the door, they don’t need to “crack” your security they just use the keys the manufacturer left under the mat.It’s a classic case of yesterday’s solutions becoming today’s biggest headaches.
Wizdok speaks on a recent CISA advisory (ICSA-26-092-02) that has flagged a significant vulnerability in Yokogawa’s CENTUM VP, a distributed control system (DCS) used globally in critical manufacturing, energy, and food production. The flaw, identified as CVE-2025-7741, highlights the persistent danger of hard-coded passwords within infrastructure that keeps the world’s power and production lines running.
Technical Investigation: CVE-2025-7741
At the heart of this vulnerability is the “PROG” user account, which is utilized specifically when the system is set to “CENTUM Authentication Mode.” Yokogawa confirmed that affected versions of the software contain a hard-coded password for this account.
The Risk Profile
While the base severity score is rated as 4.0 (Medium), the context of where this software sits inside power plants and refineries makes any unauthorized access a serious concern.
- Attack Vector: Local. This means an attacker needs physical or remote desktop access to the Human Interface Station (HIS) screen controls.
- The “PROG” Account: By default, this account is assigned “S1” permissions (equivalent to an “OFFUSER”). Under normal circumstances, this level of access prevents critical operations or major configuration changes.
- The Danger Zone: The real threat emerges if a system administrator has previously elevated the permissions of the PROG user for maintenance or integration purposes. In such cases, an attacker using the hard-coded password could gain full control over the DCS environment, leading to potential operational shutdowns or equipment damage.
Affected Versions and Remediation
Yokogawa has identified that the vulnerability spans several generations of the CENTUM VP platform. If you are managing an ICS environment, check your version numbers against the list below:
1. CENTUM VP R5 (Versions R5.01.00 to R5.04.20)
- Status: Known Affected.
- Fix: There is no specific software patch for these older versions. Users are urged to migrate from CENTUM Authentication Mode to Windows Authentication Mode. This moves the credential management away from the hard-coded software layer and into the more robust Windows security ecosystem.
2. CENTUM VP R6 (Versions R6.01.00 to R6.12.00)
- Status: Known Affected.
- Fix: Similar to the R5 series, the primary mitigation is a shift to Windows Authentication Mode. Note that this requires significant engineering work and coordination with Yokogawa technical support to ensure system stability.
3. CENTUM VP R7 (Version R7.01.00)
- Status: Known Affected.
- Fix: For the most modern iteration of the software, Yokogawa has released Software Patch R7.01.10. Applying this update addresses the vulnerability directly without necessarily requiring a full authentication mode migration.
Defensive Strategies for ICS Environments
Beyond applying the specific Yokogawa patches, this advisory serves as a reminder of the “Defense-in-Depth” strategy required for critical infrastructure. CISA and Yokogawa recommend the following hardened practices:
Network Isolation
Control systems should never be directly accessible from the internet. Ensure that your ICS network is located behind a robust firewall and is logically (and ideally physically) isolated from the business or corporate office networks.
Secure Remote Access
If remote access is a business necessity, it must be handled via a secure VPN. However, remember that a VPN is only as secure as the device connecting to it. Ensure that any laptop or workstation accessing the CENTUM VP environment is fully patched and monitored.
Permission Auditing
Regularly audit the permissions of default accounts like “PROG.” In industrial settings, it is common for temporary permission boosts to become permanent fixtures. Reverting these accounts to their lowest required privilege level can mitigate the impact of a credential leak.
The Bottom Line for Engineers
The discovery of CVE-2025-7741 proves that even “hidden” or “background” accounts can become liabilities. If you are operating on CENTUM VP R5 or R6, the time to plan your transition to Windows Authentication is now. For R7 users, the R7.01.10 patch should be treated as a high-priority maintenance task.
In the world of critical manufacturing, security is a continuous engineering challenge, not a one-time software update.
Read on to find out why Your Internal Wiki is a Productivity Graveyard, and Your Developers Know It. For decades, the corporate solution to “knowledge sharing” has been the same: throw another stagnant wiki, a bloated Confluence page, or a chaotic Notion workspace at the problem.
