AzeoTech DAQFactory (Update A)

Plan PatchCVSS 7.8ICS-CERT ICSA-25-345-03Dec 11, 2025

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

DAQFactory contains multiple buffer overflow and memory management vulnerabilities in .ctl file handling. An attacker can craft a malicious .ctl file that, when opened by a user, triggers out-of-bounds write or read operations, leading to information disclosure or arbitrary code execution on the host running DAQFactory.

What this means

What could happen

An attacker can execute arbitrary code on a computer running DAQFactory by tricking a user into opening a malicious .ctl file, potentially compromising the entire SCADA system and allowing manipulation of process data, setpoints, or interruption of monitoring and control functions.

Who's at risk

DAQFactory operators and engineers at any facility using this SCADA/data acquisition software to monitor or control industrial processes, utility systems, or research equipment. Organizations relying on DAQFactory for real-time process monitoring, alarm management, or control logic automation.

How it could be exploited

An attacker crafts a malicious .ctl file and delivers it via email or file sharing to an operator or engineer. When the user opens the file in DAQFactory, the buffer overflow vulnerabilities are triggered, allowing the attacker to execute code with the privileges of the DAQFactory process or the logged-in user.

Prerequisites

User interaction required: victim must open a malicious .ctl file in DAQFactory
Local file system write access or ability to deliver file to target user
Target running DAQFactory version 20.7_Build_2555 or earlier

Local exploitation requiredUser interaction requiredBuffer overflow vulnerabilityArbitrary code execution possibleCould affect SCADA/monitoring systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

DAQFactory: <=20.7_Build_2555≤ 20.7 Build 255521.1

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict write access to .ctl file directories to admin-level users only

WORKAROUNDDo not open .ctl files from untrusted or unknown sources

WORKAROUNDEnable 'Safe Mode' when loading .ctl documents that have been outside your control

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DAQFactory to version 21.1 or later

Long-term hardening

0/1

HARDENINGApply document editing password protection to all critical .ctl files

CVEs (5)

CVE-2025-66590 CVE-2025-66589 CVE-2025-66588 CVE-2025-66586 CVE-2025-66585

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9bd697c2-b60a-4ca8-a0e9-9b8b93fc2026

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.