CVE-2025-66586
📋 TL;DR
A memory corruption vulnerability in AzeoTech DAQFactory allows attackers to execute arbitrary code by tricking users into opening malicious .ctl files. This affects all users of DAQFactory 20.7 Build 2555 who process untrusted configuration files. The vulnerability requires user interaction but could lead to complete system compromise.
💻 Affected Systems
- AzeoTech DAQFactory
📦 What is this software?
Daqfactory by Azeotech
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/root privileges leading to complete system takeover, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation or code execution in the context of the DAQFactory process, potentially allowing attackers to manipulate industrial control systems or steal sensitive data.
If Mitigated
Denial of service or application crash if memory corruption doesn't lead to successful code execution.
🎯 Exploit Status
Exploitation requires user interaction to open malicious file. Memory corruption vulnerabilities typically require some skill to weaponize for reliable code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version later than 20.7 Build 2555
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03
Restart Required: Yes
Instructions:
1. Download latest DAQFactory version from AzeoTech website. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the system and verify functionality.
🔧 Temporary Workarounds
Restrict .ctl file processing
allBlock or restrict processing of .ctl files from untrusted sources
Application sandboxing
allRun DAQFactory with reduced privileges or in a sandboxed environment
🧯 If You Can't Patch
- Implement strict file validation: Only allow .ctl files from trusted, verified sources
- Network segmentation: Isolate DAQFactory systems from untrusted networks and internet access
🔍 How to Verify
Check if Vulnerable:
Check Help > About in DAQFactory. If version is 20.7 Build 2555, system is vulnerable.Check Version:
In DAQFactory GUI: Help > About shows version informationVerify Fix Applied:
Verify version is updated beyond 20.7 Build 2555 in Help > About dialog.📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes
- Memory access violation errors in system logs
- Unusual .ctl file processing activity
Network Indicators:
- Unexpected network connections from DAQFactory process
- File downloads to DAQFactory system
SIEM Query:
EventID=1000 OR EventID=1001 Source='DAQFactory' OR ProcessName='daqfactory.exe' AND (ExceptionCode=0xc0000005 OR ExceptionCode=0xc0000409)