Skip to main content

AzeoTech DAQFactory CVE-2025-66585

HIGH
Use After Free (CWE-416)
2025-12-11 ics-cert@hq.dhs.gov
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 21:30 vuln.today

DescriptionCVE.org

In AzeoTech DAQFactory release 20.7 (Build 2555), a use after free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.

AnalysisAI

Local code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a user opens a maliciously crafted .ctl project file, triggering a use-after-free condition (CWE-416) in the parser. The flaw was reported by ICS-CERT (DHS) and documented in CISA ICS advisory ICSA-25-345-03, but there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

DAQFactory is a Windows-based HMI/SCADA development environment from AzeoTech used to build data-acquisition and supervisory applications in industrial and laboratory environments. The vulnerability resides in the routine that parses .ctl control/project files, which is a proprietary DAQFactory file format loaded by the desktop application. CWE-416 (Use After Free) means the parser frees a heap object and then continues to use a dangling reference to it; an attacker who controls the freed-then-reused memory contents can corrupt program state and, with a carefully crafted heap layout, redirect execution flow to attacker-controlled code, executing in the security context of the DAQFactory process - typically an engineering workstation user, but potentially a more privileged service account in OT environments.

RemediationAI

No vendor-released patch version is independently confirmed from the supplied data; consult the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 and AzeoTech directly for an upgraded build past 20.7 Build 2555. Until a fixed build is confirmed and deployed, restrict the application to opening .ctl files only from trusted, integrity-verified sources (internal version control, signed artifact repos) and treat .ctl files arriving by email, USB, or third-party download as untrusted; enforce this with file-source allow-listing on engineering workstations, with the trade-off that legitimate vendor-supplied sample projects may also be blocked. Run DAQFactory under a least-privilege Windows account rather than a local admin to limit blast radius of code execution, isolate engineering workstations from production OT networks via firewalled jump hosts, and add EDR/AppLocker rules that flag DAQFactory.exe spawning shells or LOLBins, accepting some false-positive overhead during legitimate scripting workflows.

Share

CVE-2025-66585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy