Skip to main content

AzeoTech DAQFactory CVE-2026-12921

| EUVDEUVD-2026-39513 HIGH
Use After Free (CWE-416)
2026-06-25 icscert GHSA-3mp5-47hq-xq78
8.4
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local file-open vector (AV:L) with mandatory operator action (UI:R) and no prior privileges (PR:N); code execution yields full C/I/A impact in an unchanged scope.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 18:55 vuln.today

DescriptionCVE.org

In AzeoTech DAQFactory versions 21.1 and prior, a Use After Free vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

AnalysisAI

Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious .ctl project file
Delivery
Deliver via email or shared storage
Exploit
Operator opens file in DAQFactory
Execution
Trigger use-after-free in parser
Persist
Hijack dangling pointer
Impact
Execute arbitrary code on HMI host

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim to open a specially crafted .ctl (DAQFactory control/project) file in AzeoTech DAQFactory version 21.1 or earlier - the malicious file format is the exact trigger named in the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real but operator-gated risk rather than a mass-exploitable internet threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker delivers a DAQFactory project file (.ctl) crafted to trigger the use-after-free, posing as an updated HMI screen or control configuration. When an engineer opens the file in DAQFactory on the workstation, the dangling pointer is exploited to execute attacker code in the application's context, establishing a foothold on the control-system host. …
Remediation No vendor-released patch version is identified in the available data, so the fixed release must be confirmed directly from AzeoTech and the CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-02 (ICSA-26-169-02); upgrade to the vendor-designated fixed version once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all DAQFactory deployments; restrict .ctl file access to internal sources only and disable unsolicited file handling. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12921 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy