Executive Summary
In December 2025, the Cybersecurity and Infrastructure Security Agency (CISA) publicly released advisories highlighting multiple serious vulnerabilities in two industrial control systems: the WHILL C2 Wheelchairs and AzeoTech DAQFactory software. These advisories outlined critical flaws that could permit unauthorized access, remote code execution, or control manipulation within industrial and healthcare environments if left unmitigated. Attackers exploiting these gaps could compromise patient safety with wheelchairs or disrupt automation and process monitoring within industrial facilities, directly impacting operational continuity and patient care.
This disclosure underscores intensifying cybersecurity scrutiny of industrial and medical control systems, which are increasingly targeted due to digitization and legacy design shortcomings. The rapid emergence of similar threats and increased regulatory focus make swift mitigation and robust ICS security controls more vital than ever.
Why This Matters Now
As more healthcare and industrial organizations digitize operations, legacy ICS and IoT devices are increasingly exposed to remotely exploitable vulnerabilities. Recent CISA advisories reflect a pattern of critical flaws in connected devices, highlighting an urgent need for improved segmentation, encrypted communications, and anomaly detection in operational environments.
Attack Path Analysis
The adversary exploited an unpatched ICS vulnerability to gain an initial foothold within the operational environment. Leveraging weak or misconfigured permissions, the attacker escalated privileges to access sensitive components. East-west movement followed, with the adversary pivoting across segmented ICS and supporting systems. They established command and control channels over allowed network paths, used covert channels to manage malware or tools, and prepared for data theft. Sensitive telemetry and control files were then exfiltrated to external infrastructure. The attack culminated with potential disruption, tampering, or ransomware deployment impacting critical industrial operations.
Kill Chain Progression
Initial Compromise
Description
Exploitation of a known ICS vulnerability enabled the adversary to access internal OT/ICS networks.
Related CVEs
CVE-2025-14346
CVSS 9.8WHILL Model C2 Electric Wheelchairs and Model F Power Chairs lack authentication for Bluetooth connections, allowing attackers within range to pair with the device and issue movement commands without credentials or user interaction.
Affected Products:
WHILL Model C2 Electric Wheelchair – All versions prior to December 29, 2025
WHILL Model F Power Chair – All versions prior to December 29, 2025
Exploit Status:
exploited in the wildCVE-2025-66585
CVSS 7.8AzeoTech DAQFactory release 20.7 (Build 2555) contains a Use After Free vulnerability that can be exploited to cause memory corruption while parsing specially crafted .ctl files, potentially allowing an attacker to execute code in the context of the current process.
Affected Products:
AzeoTech DAQFactory – 20.7 (Build 2555) and prior
Exploit Status:
proof of conceptCVE-2025-66586
CVSS 7.8AzeoTech DAQFactory release 20.7 (Build 2555) contains a Type Confusion vulnerability that can be exploited to cause memory corruption while parsing specially crafted .ctl files, potentially allowing an attacker to execute code in the context of the current process.
Affected Products:
AzeoTech DAQFactory – 20.7 (Build 2555) and prior
Exploit Status:
proof of conceptCVE-2025-66590
CVSS 7.8AzeoTech DAQFactory release 20.7 (Build 2555) contains an Out-of-bounds Write vulnerability that can be exploited to cause memory corruption while parsing specially crafted .ctl files, potentially allowing an attacker to execute code in the context of the current process.
Affected Products:
AzeoTech DAQFactory – 20.7 (Build 2555) and prior
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Techniques mapped to likely exploit and threat paths for ICS vulnerabilities based on CISA advisories. List intended for SEO/filtering and may be expanded with STIX/TAXII enrichment later.
Exploitation of Remote Services
Exploit Public-Facing Application
Control Device Identification
Modify Control Logic
Service Stop
Default Accounts
Remote System Discovery
Network Sniffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Security of network and information systems
Control ID: Article 21(2)(c)
CISA Zero Trust Maturity Model 2.0 – Asset Discovery and Monitoring
Control ID: Asset Management - Visibility and Analytics
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Monitoring
Control ID: 500.03, 500.07
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8(1)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure utilities face severe ICS vulnerability exposure requiring immediate zero trust segmentation and encrypted traffic controls for operational technology systems.
Oil/Energy/Solar/Greentech
Energy sector's extensive ICS networks vulnerable to lateral movement attacks, demanding enhanced east-west traffic security and industrial control system hardening measures.
Health Care / Life Sciences
Healthcare ICS including medical devices like wheelchairs require urgent vulnerability patching and compliance with HIPAA encryption standards for patient safety.
Manufacturing
Manufacturing operations dependent on DAQFactory and similar ICS platforms need comprehensive threat detection capabilities and secure hybrid connectivity for production continuity.
Sources
- CISA Releases Two Industrial Control Systems Advisorieshttps://www.cisa.gov/news-events/alerts/2025/12/30/cisa-releases-two-industrial-control-systems-advisoriesVerified
- WHILL C2 Wheelchairs Advisoryhttps://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01Verified
- AzeoTech DAQFactory Advisoryhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03Verified
- ZDI-25-1128: AzeoTech DAQFactory CTL File Parsing Use-After-Free Remote Code Execution Vulnerabilityhttps://www.zerodayinitiative.com/advisories/ZDI-25-1128/Verified
- ZDI-25-1134: AzeoTech DAQFactory CTL File Parsing Type Confusion Remote Code Execution Vulnerabilityhttps://www.zerodayinitiative.com/advisories/ZDI-25-1134/Verified
- ZDI-25-1130: AzeoTech DAQFactory CTL File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerabilityhttps://www.zerodayinitiative.com/advisories/ZDI-25-1130/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic inspection, egress policy enforcement, and inline threat detection would have significantly constrained the adversary’s ability to escalate, move laterally, communicate externally, and exfiltrate sensitive ICS data.
Control: Inline IPS (Suricata)
Mitigation: Known vulnerability exploits would be detected and blocked at the network ingress.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege traversal between zones would be prevented.
Control: East-West Traffic Security
Mitigation: Unusual lateral movement would be detected and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Malicious outbound C2 traffic is restricted or detected.
Control: Encrypted Traffic (HPE) & Egress Security
Mitigation: Data exfiltration via unauthorized channels is blocked or detected.
Malicious actions are detected in real time for rapid response.
Impact at a Glance
Affected Business Functions
- Mobility Services
- Industrial Automation
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive operational data and user safety information due to unauthorized access and control.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and microsegmentation across all ICS/OT workloads to minimize attack blast radius.
- • Deploy east-west traffic inspection and enforce workload-level least-privilege network policies to contain lateral movement.
- • Apply inline IPS and real-time anomaly detection to protect against exploit attempts and suspicious behaviors.
- • Enforce strict egress controls and policy-driven outbound filtering to block C2 and data exfiltration attempts.
- • Maintain continuous visibility, centralized policy management, and encrypted interconnects to detect, respond, and recover from cloud-borne threats.
