Skip to main content

AzeoTech DAQFactory CVE-2025-66586

HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2025-12-11 ics-cert@hq.dhs.gov
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 21:30 vuln.today

DescriptionCVE.org

In AzeoTech DAQFactory release 20.7 (Build 2555), an access of resource using incompatible type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.

AnalysisAI

Type confusion in AzeoTech DAQFactory 20.7 (Build 2555) enables arbitrary code execution when a user opens a maliciously crafted .ctl project file, corrupting memory in the parser and running attacker-controlled code in the process context. Reported through CISA ICS-CERT and tracked in ICS advisory ICSA-25-345-03, the flaw affects industrial data acquisition and HMI deployments; no public exploit identified at time of analysis and EPSS data was not provided.

Technical ContextAI

DAQFactory is an HMI/SCADA and data acquisition platform used in industrial control system (ICS) environments, where .ctl files store project, screen, and channel configuration consumed by the runtime. The root cause is CWE-843 (Access of Resource Using Incompatible Type, commonly known as type confusion): the .ctl parser interprets a memory region as one object type while it actually contains another, causing pointer or vtable misuse that the tags 'Buffer Overflow, Memory Corruption' reinforce. Per the supplied CPE (cpe:2.3:a:azeotech:daqfactory:*:*:*:*:*:*:*:*) the application is affected with no architecture or platform qualifier, but the description explicitly pins the issue to release 20.7 Build 2555.

RemediationAI

No vendor-released patch identified at time of analysis in the provided data; consult CISA ICSA-25-345-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03) and the CSAF document for the latest fixed build from AzeoTech and upgrade DAQFactory beyond release 20.7 Build 2555 once published. Until a patched build is available, restrict .ctl file handling to trusted, signed sources only, block .ctl attachments at the email gateway and web proxy (trade-off: legitimate project sharing must move to an internal repository with integrity checks), isolate DAQFactory engineering workstations from general-purpose user networks and the internet to limit malicious-file delivery, and enforce application allowlisting plus least-privilege user accounts so that successful exploitation does not yield SYSTEM-level access on the ICS host.

Share

CVE-2025-66586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy