AzeoTech DAQFactory

Plan Patch7.8ICS-CERT ICSA-21-308-02Nov 4, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

AzeoTech DAQFactory prior to version 18.1 Build 2347 contains multiple vulnerabilities (CWE-242, CWE-502, CWE-319, CWE-471) that could allow code execution, memory corruption, or unauthorized access to engineering documents when a user opens a malicious .ctl file. The vulnerabilities are triggered through document deserialization and improper input validation. These are not remotely exploitable and require a user to open an untrusted document on a workstation running DAQFactory.

What this means

What could happen

An attacker with local access to a workstation running DAQFactory could execute arbitrary code, corrupt memory, or steal engineering documents by tricking a user into opening a malicious .ctl file. This could alter process logic, sensor readings, or setpoints in connected industrial equipment.

Who's at risk

Water utilities and electric utilities that use AzeoTech DAQFactory for SCADA data acquisition and automation on engineering workstations. Anyone running DAQFactory versions before 18.1 Build 2347 for industrial process monitoring, historian functions, or device configuration is at risk.

How it could be exploited

An attacker would need to deliver a malicious DAQFactory .ctl file to a user and convince them to open it on a workstation running the vulnerable version. When the file is loaded, code execution occurs with the privileges of the user. The attacker could then modify process logic, access sensitive engineering files, or modify device configurations.

Prerequisites

User with access to run DAQFactory on a workstation
User must open a malicious .ctl file (social engineering required)
DAQFactory version prior to 18.1 Build 2347

No patch available (fix targeted for early 2022)Requires user interaction (social engineering)Local access only (not remotely exploitable)Could allow code execution on engineering workstations

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

DAQFactory: All< 18.1 Build 234718.1 Build 2347

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDisable Real Time Web-Connect menu items and use DAQConnect script connections instead

HARDENINGRestrict write access to folders containing .ctl files to administrators only

WORKAROUNDOperate in Safe Mode when loading DAQFactory documents from untrusted or external sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade DAQFactory to version 18.1 Build 2347 or later when available

HARDENINGApply document editing passwords to all DAQFactory documents

Long-term hardening

0/1

HARDENINGIsolate DAQFactory workstations from the business network and internet using firewalls and network segmentation

CVEs (4)

CVE-2021-42543 CVE-2021-42698 CVE-2021-42699 CVE-2021-42701

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/77317d77-4622-45a4-8cad-c492ef6c248d