AzeoTech DAQFactory CVE-2025-66585
HIGHSeverity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
In AzeoTech DAQFactory release 20.7 (Build 2555), a use after free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.
AnalysisAI
Local code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a user opens a maliciously crafted .ctl project file, triggering a use-after-free condition (CWE-416) in the parser. The flaw was reported by ICS-CERT (DHS) and documented in CISA ICS advisory ICSA-25-345-03, but there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
DAQFactory is a Windows-based HMI/SCADA development environment from AzeoTech used to build data-acquisition and supervisory applications in industrial and laboratory environments. The vulnerability resides in the routine that parses .ctl control/project files, which is a proprietary DAQFactory file format loaded by the desktop application. CWE-416 (Use After Free) means the parser frees a heap object and then continues to use a dangling reference to it; an attacker who controls the freed-then-reused memory contents can corrupt program state and, with a carefully crafted heap layout, redirect execution flow to attacker-controlled code, executing in the security context of the DAQFactory process - typically an engineering workstation user, but potentially a more privileged service account in OT environments.
RemediationAI
No vendor-released patch version is independently confirmed from the supplied data; consult the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 and AzeoTech directly for an upgraded build past 20.7 Build 2555. Until a fixed build is confirmed and deployed, restrict the application to opening .ctl files only from trusted, integrity-verified sources (internal version control, signed artifact repos) and treat .ctl files arriving by email, USB, or third-party download as untrusted; enforce this with file-source allow-listing on engineering workstations, with the trade-off that legitimate vendor-supplied sample projects may also be blocked. Run DAQFactory under a least-privilege Windows account rather than a local admin to limit blast radius of code execution, isolate engineering workstations from production OT networks via firewalled jump hosts, and add EDR/AppLocker rules that flag DAQFactory.exe spawning shells or LOLBins, accepting some false-positive overhead during legitimate scripting workflows.
More in Daqfactory
View allCode execution in AzeoTech DAQFactory versions 21.1 and prior is achievable when a user opens a maliciously crafted .ctl
Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered wh
Out-of-bounds write in AzeoTech DAQFactory release 20.7 (Build 2555) enables arbitrary code execution or denial of servi
Arbitrary code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a local user opens or interac
Type confusion in AzeoTech DAQFactory 20.7 (Build 2555) enables arbitrary code execution when a user opens a maliciously
Same weakness CWE-416 – Use After Free
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today