Impact
A type confusion flaw in earlier releases of AzeoTech DAQFactory allows a specially crafted .ctl file to trigger a logic error that may lead to arbitrary code execution. The vulnerability arises when the application processes an unsupported record type, mistaking it for a permissible structure, and then invokes code paths that rely on the confused object. Exploitation can compromise the confidentiality, integrity, or availability of the affected system, potentially allowing a malicious actor to execute commands or install malware with the privileges of the DAQFactory user.
Affected Systems
AzeoTech DAQFactory versions 21.1 and earlier are affected. Users running versions before the 21.2 release should verify their installation and apply updates as available.
Risk and Exploitability
The CVSS score of 8.4 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likelihood of exploitation depends on the attacker’s ability to supply a crafted .ctl document that the target system will load; this is typically a local or supply‑chain scenario rather than remote network exploitation. Attacks would require privileged file system access or control over a trusted document source to introduce the malicious file.
OpenCVE Enrichment