Skip to main content

AzeoTech DAQFactory CVE-2026-12390

| EUVDEUVD-2026-37930 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-06-18 icscert GHSA-m6fh-8jwg-xrjx
8.4
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Parsing a local .ctl file requires the user to open it (UI:R) but no privileges (PR:N); type confusion yields full process-level code execution, so C/I/A all High; scope unchanged.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 19:00 vuln.today

DescriptionCVE.org

In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

AnalysisAI

Code execution in AzeoTech DAQFactory versions 21.1 and prior is achievable when a user opens a maliciously crafted .ctl project file, triggering a CWE-843 type confusion that corrupts memory. The flaw was reported through CISA ICS-CERT, which is significant because DAQFactory is HMI/SCADA software where engineering project files are routinely shared between integrators and operators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft malicious .ctl file
Delivery
Deliver via email or integrator share
Exploit
Engineer opens file in DAQFactory
Install
Parser hits type-confusion path
C2
Hijack control flow via mistyped pointer
Execute
Execute arbitrary code as user
Impact
Pivot into OT network

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to deliver a crafted .ctl project file to a host running AzeoTech DAQFactory 21.1 or earlier AND for a local user to actively open that file in DAQFactory (UI:A / UI:R) - the parser is not reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 8.4 reflects a high-impact but locally-vectored issue: AV:L plus UI:A means an attacker cannot reach the parser remotely without first delivering the .ctl file and convincing a user to open it in DAQFactory, while PR:N and AC:L mean that once the file is opened no privileges or special timing are required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a .ctl file whose serialized object layout triggers the type-confusion path in DAQFactory's project loader, then delivers it to a control-systems engineer as a 'updated screen file' via spear-phishing, a poisoned integrator share, or USB. When the engineer opens the file in DAQFactory 21.1 or earlier on their engineering workstation, the parser dereferences attacker-controlled bytes as a vtable or function pointer, executing arbitrary shellcode in the user's context and providing a foothold inside the OT network. …
Remediation Upgrade to the AzeoTech-released fixed build identified in CISA advisory ICSA-26-169-02 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-02); a specific patched version number was not included in the input data, so confirm the exact target version directly from AzeoTech or the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running DAQFactory versions 21.1 and earlier; document version inventory and network connectivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy