AzeoTech DAQFactory 2025: Critical ICS Memory Flaws Open Path to Code Execution
Executive Summary
In December 2025, critical memory corruption vulnerabilities were disclosed in AzeoTech DAQFactory, an industrial control system platform widely used in critical manufacturing. Attackers leveraging these flaws—such as out-of-bounds write, use-after-free, heap and stack buffer overflows, and type confusion—could upload malicious .ctl files, leading to potential arbitrary code execution or data disclosure. No remote exploitation was reported, but the flaws affect DAQFactory versions 20.7 (Build 2555) and earlier, impacting deployments worldwide.
The incident underscores the persistent risk that memory-based vulnerabilities pose to ICS platforms, amplifying concerns about supply chain and file-based attacks in operational environments. Given ICS’s expanding attack surface and recent regulatory scrutiny, addressing patch management and limiting untrusted file handling remain crucial for minimizing operational risk.
Why This Matters Now
These vulnerabilities illustrate how sophisticated, file-based attacks continue to threaten critical infrastructure. As adversaries exploit memory safety flaws in ICS applications, timely patching, network segmentation, and robust access controls are crucial to mitigate risk. Increased regulatory focus on ICS security heightens urgency for asset owners to address software update and file hygiene practices.
Attack Path Analysis
The attacker initially gained access by persuading a user to open a crafted malicious .ctl file in the vulnerable DAQFactory application. Upon execution, exploitation of memory corruption vulnerabilities enabled the attacker to escalate privileges and achieve code execution. With local execution established, the attacker could pivot laterally across internal control system networks if segmentation was insufficient. Command and Control could be established by deploying backdoors or executing outbound connections. Sensitive data could then be exfiltrated via unauthorized outbound channels. Ultimately, the attacker could disrupt, manipulate, or destroy industrial processes and data, causing operational impact.
Kill Chain Progression
Initial Compromise
Description
An attacker delivers a malicious .ctl file to a target user, likely via phishing or social engineering, who then opens it in DAQFactory, triggering vulnerability exploitation.
Related CVEs
CVE-2025-66590
CVSS 9.8An out-of-bounds write vulnerability in AzeoTech DAQFactory allows attackers to execute arbitrary code or cause a system crash.
Affected Products:
AzeoTech DAQFactory – <= 20.7 (Build 2555)
Exploit Status:
no public exploitCVE-2025-66589
CVSS 9.1An out-of-bounds read vulnerability in AzeoTech DAQFactory could allow attackers to disclose information or cause a system crash.
Affected Products:
AzeoTech DAQFactory – <= 20.7 (Build 2555)
Exploit Status:
no public exploitCVE-2025-66588
CVSS 9.8An access of uninitialized pointer vulnerability in AzeoTech DAQFactory could lead to arbitrary code execution.
Affected Products:
AzeoTech DAQFactory – <= 20.7 (Build 2555)
Exploit Status:
no public exploitCVE-2025-66586
CVSS 7.8A type confusion vulnerability in AzeoTech DAQFactory could allow attackers to execute code in the context of the current process.
Affected Products:
AzeoTech DAQFactory – <= 20.7 (Build 2555)
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
User Execution: Malicious File
System Services: Service Execution
Process Injection
Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Exfiltration Over Alternative Protocol
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention Mechanisms
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Art. 9
CISA ZTMM 2.0 – Identity and Access Management – Least Privilege Enforcement
Control ID: ZT-IA-04
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical Manufacturing sector faces high-severity vulnerabilities in DAQFactory industrial control systems enabling arbitrary code execution through malicious file exploitation.
Oil/Energy/Solar/Greentech
Energy infrastructure using DAQFactory for SCADA operations vulnerable to buffer overflow attacks requiring immediate patching and enhanced file validation controls.
Utilities
Power generation and distribution systems risk operational disruption from memory corruption vulnerabilities in widely-deployed DAQFactory industrial control platform software.
Chemical
Process control systems in chemical manufacturing exposed to stack-based buffer overflow exploits through compromised control files threatening production safety protocols.
Sources
- AzeoTech DAQFactoryhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03Verified
- NVD Entry for CVE-2025-66590https://nvd.nist.gov/vuln/detail/CVE-2025-66590Verified
- NVD Entry for CVE-2025-66589https://nvd.nist.gov/vuln/detail/CVE-2025-66589Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic isolation, egress policy enforcement, encrypted traffic inspection, and central visibility controls would have restricted attacker movement, detected anomalies, and limited exploit impact—even after initial compromise. Segmentation and granular egress controls would minimize window for privilege escalation, lateral movement, and external communication.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of anomalous application or user behavior.
Control: Zero Trust Segmentation
Mitigation: Limits attacker's elevated access scope within critical environments.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload communications.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound connections from OT workloads.
Control: Cloud Firewall (ACF)
Mitigation: Detects or blocks anomalous data egress from critical assets.
Limits blast radius and automates response to contain operational impact.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive operational data due to out-of-bounds read vulnerability.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation between OT workloads to minimize exposure from user-initiated file attacks.
- • Apply egress policy controls to block unauthorized outbound traffic and detect C2 or data exfiltration attempts.
- • Leverage anomaly detection to monitor for suspicious file activity, memory exploits, and abnormal process launches on critical hosts.
- • Mandate robust east-west traffic controls to prevent lateral movement, even after initial user compromise.
- • Deploy centralized visibility and response automation to rapidly contain incidents and limit operational impact in ICS environments.
