Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Parsing a local .ctl file requires the user to open it (UI:R) but no privileges (PR:N); type confusion yields full process-level code execution, so C/I/A all High; scope unchanged.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.
AnalysisAI
Code execution in AzeoTech DAQFactory versions 21.1 and prior is achievable when a user opens a maliciously crafted .ctl project file, triggering a CWE-843 type confusion that corrupts memory. The flaw was reported through CISA ICS-CERT, which is significant because DAQFactory is HMI/SCADA software where engineering project files are routinely shared between integrators and operators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to deliver a crafted .ctl project file to a host running AzeoTech DAQFactory 21.1 or earlier AND for a local user to actively open that file in DAQFactory (UI:A / UI:R) - the parser is not reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 8.4 reflects a high-impact but locally-vectored issue: AV:L plus UI:A means an attacker cannot reach the parser remotely without first delivering the .ctl file and convincing a user to open it in DAQFactory, while PR:N and AC:L mean that once the file is opened no privileges or special timing are required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a .ctl file whose serialized object layout triggers the type-confusion path in DAQFactory's project loader, then delivers it to a control-systems engineer as a 'updated screen file' via spear-phishing, a poisoned integrator share, or USB. When the engineer opens the file in DAQFactory 21.1 or earlier on their engineering workstation, the parser dereferences attacker-controlled bytes as a vtable or function pointer, executing arbitrary shellcode in the user's context and providing a foothold inside the OT network. … |
| Remediation | Upgrade to the AzeoTech-released fixed build identified in CISA advisory ICSA-26-169-02 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-02); a specific patched version number was not included in the input data, so confirm the exact target version directly from AzeoTech or the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running DAQFactory versions 21.1 and earlier; document version inventory and network connectivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Daqfactory
View allArbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered wh
Out-of-bounds write in AzeoTech DAQFactory release 20.7 (Build 2555) enables arbitrary code execution or denial of servi
Arbitrary code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a local user opens or interac
Type confusion in AzeoTech DAQFactory 20.7 (Build 2555) enables arbitrary code execution when a user opens a maliciously
Local code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a user opens a maliciously crafte
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37930
GHSA-m6fh-8jwg-xrjx