PatchSiren cyber security CVE debrief
CVE-2025-66588 AzeoTech CVE debrief
AzeoTech DAQFactory release 20.7 (Build 2555) contains an Access of Uninitialized Pointer vulnerability that can lead to arbitrary code execution. This vulnerability was disclosed by CISA on December 11, 2025, and subsequently modified on January 12, 2026. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector with low attack complexity, no privileges required, but user interaction required. The vulnerability affects industrial control system environments where DAQFactory is deployed for data acquisition and process control. AzeoTech has released DAQFactory version 21.1 as a vendor fix. CISA recommends defense-in-depth measures including restricting document sources, file permission controls, safe mode operation, and document password protection.
- Vendor
- AzeoTech
- Product
- DAQFactory
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-11
- Original CVE updated
- 2026-01-12
- Advisory published
- 2025-12-11
- Advisory updated
- 2026-01-12
Who should care
Organizations running AzeoTech DAQFactory 20.7 (Build 2555) in industrial control, manufacturing, laboratory automation, or data acquisition environments. Security teams responsible for OT/ICS asset management, patch management programs covering operational technology, and personnel handling .ctl document workflows in DAQFactory deployments.
Technical summary
The vulnerability exists in AzeoTech DAQFactory release 20.7 (Build 2555) due to access of an uninitialized pointer. An attacker can exploit this condition to achieve arbitrary code execution. The attack requires local access and user interaction (such as opening a malicious document), but does not require elevated privileges. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates high impacts to confidentiality, integrity, and availability. The vulnerability is particularly relevant in operational technology environments where DAQFactory is used for supervisory control and data acquisition. The vendor has addressed the issue in Release 21.1.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to DAQFactory Release 21.1 to address the uninitialized pointer vulnerability
- Restrict .ctl file loading to documents from trusted sources only
- Store .ctl files in directories with admin-only write permissions
- Enable Safe Mode when loading documents that have been outside organizational control
- Apply document editing passwords to protect .ctl files from unauthorized modification
- Implement network segmentation for DAQFactory systems per CISA ICS recommended practices
- Monitor for anomalous process execution or document loading behaviors on affected systems
Evidence notes
Vulnerability details sourced from CISA CSAF advisory ICSA-25-345-03. Advisory underwent revision on 2025-12-30 (Update A) removing duplicative CVEs, and final revision on 2026-01-12 updating acknowledgments. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Official resources
-
CVE-2025-66588 CVE record
CVE.org
-
CVE-2025-66588 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-11