Skip to main content

Daqfactory

6 CVEs product

Monthly

CVE-2026-12921 HIGH CISA This Week

Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.

RCE Denial Of Service Use After Free Memory Corruption Daqfactory
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-12390 HIGH CISA Act Now

Code execution in AzeoTech DAQFactory versions 21.1 and prior is achievable when a user opens a maliciously crafted .ctl project file, triggering a CWE-843 type confusion that corrupts memory. The flaw was reported through CISA ICS-CERT, which is significant because DAQFactory is HMI/SCADA software where engineering project files are routinely shared between integrators and operators. There is no public exploit identified at time of analysis, but the file-borne delivery pattern is well-suited to phishing or supply-chain handoffs targeting OT engineers.

RCE Memory Corruption Daqfactory
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2025-66590 HIGH This Week

Out-of-bounds write in AzeoTech DAQFactory release 20.7 (Build 2555) enables arbitrary code execution or denial of service when a local user opens or interacts with attacker-supplied content. The flaw was reported through CISA ICS-CERT and disclosed in ICS advisory ICSA-25-345-03, indicating ICS/SCADA operational technology impact, though no public exploit identified at time of analysis and no CISA KEV listing exists.

RCE Buffer Overflow Memory Corruption Daqfactory
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2025-66588 HIGH This Week

Arbitrary code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a local user opens or interacts with attacker-supplied content that triggers an access-of-uninitialized-pointer condition. The flaw was reported through CISA ICS-CERT and is tracked in ICS advisory ICSA-25-345-03; no public exploit identified at time of analysis and the CVSS 4.0 vector (AV:L/AC:L/PR:N/UI:A) indicates local vector with required user interaction rather than remote network exploitation.

RCE Memory Corruption Daqfactory
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2025-66586 HIGH This Week

Type confusion in AzeoTech DAQFactory 20.7 (Build 2555) enables arbitrary code execution when a user opens a maliciously crafted .ctl project file, corrupting memory in the parser and running attacker-controlled code in the process context. Reported through CISA ICS-CERT and tracked in ICS advisory ICSA-25-345-03, the flaw affects industrial data acquisition and HMI deployments; no public exploit identified at time of analysis and EPSS data was not provided.

Buffer Overflow Memory Corruption Daqfactory
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-66585 HIGH This Week

Local code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a user opens a maliciously crafted .ctl project file, triggering a use-after-free condition (CWE-416) in the parser. The flaw was reported by ICS-CERT (DHS) and documented in CISA ICS advisory ICSA-25-345-03, but there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Buffer Overflow Denial Of Service Use After Free Memory Corruption Daqfactory
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.

RCE Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 8.4
HIGH Act Now

Code execution in AzeoTech DAQFactory versions 21.1 and prior is achievable when a user opens a maliciously crafted .ctl project file, triggering a CWE-843 type confusion that corrupts memory. The flaw was reported through CISA ICS-CERT, which is significant because DAQFactory is HMI/SCADA software where engineering project files are routinely shared between integrators and operators. There is no public exploit identified at time of analysis, but the file-borne delivery pattern is well-suited to phishing or supply-chain handoffs targeting OT engineers.

RCE Memory Corruption Daqfactory
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Out-of-bounds write in AzeoTech DAQFactory release 20.7 (Build 2555) enables arbitrary code execution or denial of service when a local user opens or interacts with attacker-supplied content. The flaw was reported through CISA ICS-CERT and disclosed in ICS advisory ICSA-25-345-03, indicating ICS/SCADA operational technology impact, though no public exploit identified at time of analysis and no CISA KEV listing exists.

RCE Buffer Overflow Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a local user opens or interacts with attacker-supplied content that triggers an access-of-uninitialized-pointer condition. The flaw was reported through CISA ICS-CERT and is tracked in ICS advisory ICSA-25-345-03; no public exploit identified at time of analysis and the CVSS 4.0 vector (AV:L/AC:L/PR:N/UI:A) indicates local vector with required user interaction rather than remote network exploitation.

RCE Memory Corruption Daqfactory
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Type confusion in AzeoTech DAQFactory 20.7 (Build 2555) enables arbitrary code execution when a user opens a maliciously crafted .ctl project file, corrupting memory in the parser and running attacker-controlled code in the process context. Reported through CISA ICS-CERT and tracked in ICS advisory ICSA-25-345-03, the flaw affects industrial data acquisition and HMI deployments; no public exploit identified at time of analysis and EPSS data was not provided.

Buffer Overflow Memory Corruption Daqfactory
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Local code execution in AzeoTech DAQFactory release 20.7 (Build 2555) is possible when a user opens a maliciously crafted .ctl project file, triggering a use-after-free condition (CWE-416) in the parser. The flaw was reported by ICS-CERT (DHS) and documented in CISA ICS advisory ICSA-25-345-03, but there is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Buffer Overflow Denial Of Service Use After Free +2
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy