Description
In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.
Published: 2026-06-18
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A type confusion flaw in earlier releases of AzeoTech DAQFactory allows a specially crafted .ctl file to trigger a logic error that may lead to arbitrary code execution. The vulnerability arises when the application processes an unsupported record type, mistaking it for a permissible structure, and then invokes code paths that rely on the confused object. Exploitation can compromise the confidentiality, integrity, or availability of the affected system, potentially allowing a malicious actor to execute commands or install malware with the privileges of the DAQFactory user.

Affected Systems

AzeoTech DAQFactory versions 21.1 and earlier are affected. Users running versions before the 21.2 release should verify their installation and apply updates as available.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likelihood of exploitation depends on the attacker’s ability to supply a crafted .ctl document that the target system will load; this is typically a local or supply‑chain scenario rather than remote network exploitation. Attacks would require privileged file system access or control over a trusted document source to introduce the malicious file.

Generated by OpenCVE AI on June 18, 2026 at 22:03 UTC.

Remediation

Vendor Solution

* Users are discouraged from using documents from unknown/untrusted sources. * Users are encouraged to store .ctl files in a folder only writeable by admin-level users. * Users are encouraged to operate in “Safe Mode” when loading documents that have been out of their control. * Users are encouraged to apply a document editing password to their documents.


OpenCVE Recommended Actions

  • Avoid opening .ctl files from unverified or unknown sources
  • Store all .ctl files in a folder that is writeable only by administrators and deny write access to standard users
  • Open .ctl documents in Safe Mode so that unsupported record types are not processed
  • Set an editing password on all .ctl documents to prevent unauthorized modification

Generated by OpenCVE AI on June 18, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Azeotech
Azeotech daqfactory
Vendors & Products Azeotech
Azeotech daqfactory

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.
Title Access of resource using incompatible type ('type confusion') in AzeoTech DAQFactory
Weaknesses CWE-843
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Azeotech Daqfactory
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-18T18:42:13.934Z

Reserved: 2026-06-16T12:13:25.809Z

Link: CVE-2026-12390

cve-icon Vulnrichment

Updated: 2026-06-18T18:42:09.712Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses
  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')