Skip to main content

AzeoTech DAQFactory CVE-2025-66588

HIGH
Access of Uninitialized Pointer (CWE-824)
2025-12-11 ics-cert@hq.dhs.gov
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 21:31 vuln.today

DescriptionCVE.org

In AzeoTech DAQFactory release 20.7 (Build 2555), an access of uninitialized pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution.

AnalysisAI

Arbitrary code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a local user opens or interacts with attacker-supplied content that triggers an access-of-uninitialized-pointer condition. The flaw was reported through CISA ICS-CERT and is tracked in ICS advisory ICSA-25-345-03; no public exploit identified at time of analysis and the CVSS 4.0 vector (AV:L/AC:L/PR:N/UI:A) indicates local vector with required user interaction rather than remote network exploitation.

Technical ContextAI

DAQFactory is an HMI/SCADA development environment from AzeoTech used for data acquisition, control, and visualization in industrial and OT environments. The root cause is CWE-824 (Access of Uninitialized Pointer), a memory-safety class in which the program dereferences a pointer whose value has not been deterministically set; depending on the surrounding allocator state and stack/heap layout, the dereference can read from or write to attacker-influenceable memory, enabling control-flow hijack and arbitrary code execution in the DAQFactory process. The affected component is identified by CPE cpe:2.3:a:azeotech:daqfactory:*:*:*:*:*:*:*:* with release 20.7 (Build 2555) explicitly called out by the vendor/CISA coordination.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data; consult the CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 and the corresponding CSAF record for the latest fixed build from AzeoTech and apply it to all engineering workstations running DAQFactory 20.7 (Build 2555). Until a fixed build is deployed, restrict DAQFactory installations to dedicated, network-segmented engineering hosts, prohibit opening DAQFactory project files (.ctl) or configurations received from untrusted sources or email, enforce application allow-listing so DAQFactory cannot spawn unexpected child processes, and run the application under a least-privileged Windows account - with the trade-off that engineers may lose convenience features such as direct project sharing and may require manual review of files transferred between sites.

Share

CVE-2025-66588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy