AzeoTech DAQFactory (Update A)

Plan Patch7.8ICS-CERT ICSA-25-345-03Dec 11, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

DAQFactory versions 20.7_Build_2555 and earlier contain multiple memory corruption vulnerabilities (buffer overflow, out-of-bounds read, type confusion, use-after-free) in the processing of .ctl control files. Successful exploitation requires an attacker to craft a malicious .ctl file and trick a user into opening it, leading to information disclosure or arbitrary code execution with the privileges of the DAQFactory process.

What this means

What could happen

An attacker with access to upload a malicious DAQFactory control file (.ctl) could execute arbitrary code on the system running DAQFactory, potentially disrupting data acquisition, logging, and automation processes that depend on the software.

Who's at risk

Organizations using AzeoTech DAQFactory for industrial data acquisition, monitoring, and automation (common in utilities, manufacturing, and process control environments). Anyone distributing or sharing DAQFactory documents (.ctl files) with external parties is at risk if the recipient opens a compromised document.

How it could be exploited

An attacker crafts a malicious .ctl file and tricks a user into opening it in DAQFactory (via email, file share, or other social engineering). Upon loading, memory corruption vulnerabilities (buffer overflow, out-of-bounds read, type confusion) allow code execution with the privileges of the DAQFactory process.

Prerequisites

User must open a malicious .ctl file in DAQFactory
The .ctl file must be from an untrusted source or attacker-controlled location
DAQFactory version 20.7_Build_2555 or earlier must be in use

Local exploitation only (requires user interaction)No authentication required to load a fileLow complexity attack (user must open file)Memory corruption vulnerabilities (buffer overflow, out-of-bounds read, type confusion)Arbitrary code execution possible

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

DAQFactory: <=20.7_Build_2555≤ 20.7 Build 255521.1

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGStore .ctl files only in directories with restricted write permissions (admin-level access only)

WORKAROUNDOperate in Safe Mode when loading .ctl documents from unknown or untrusted sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DAQFactory to Release 21.1 or later

HARDENINGApply document editing passwords to your DAQFactory documents to restrict modification

Long-term hardening

0/1

HARDENINGTrain users to avoid opening .ctl files from unknown or untrusted sources

CVEs (5)

CVE-2025-66590 CVE-2025-66589 CVE-2025-66588 CVE-2025-66586 CVE-2025-66585

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9bd697c2-b60a-4ca8-a0e9-9b8b93fc2026