CISA Warns of Type Confusion Vulnerability in AzeoTech DAQFactory Allowing Code Execution via Malicious .ctl Files
CISA has issued an advisory for CVE-2026-12390, a type confusion vulnerability in AzeoTech DAQFactory versions 21.1 and prior that can be exploited by uploading specially crafted .ctl files to achieve arbitrary code execution.
CISA has published an advisory warning of a type confusion vulnerability in AzeoTech DAQFactory, a supervisory control and data acquisition (SCADA) software widely used in critical manufacturing sectors. Tracked as CVE-2026-12390, the flaw affects DAQFactory versions 21.1 and earlier and carries a CVSS v3.1 base score of 7.8 (HIGH). An attacker can exploit the vulnerability by uploading specially crafted .ctl files, which are configuration files used by the software, leading to arbitrary code execution on the affected system.
The vulnerability stems from a type confusion issue (CWE-843) in how DAQFactory handles .ctl files. When a user opens a malicious .ctl file, the software incorrectly interprets the data type, allowing the attacker to execute arbitrary code in the context of the application. The exploit requires local access or tricking a user into opening a malicious file, as the vulnerability is not remotely exploitable. However, given the prevalence of DAQFactory in industrial control systems, the impact could be severe if an attacker gains initial foothold through phishing or other means.
AzeoTech DAQFactory is deployed globally across the Critical Manufacturing sector, with the company headquartered in the United States. The software is used for data acquisition, monitoring, and control in various industrial environments. The advisory notes that no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time, but the agency urges organizations to take immediate defensive measures.
CISA recommends several mitigations to reduce the risk of exploitation. Users should operate DAQFactory in "Safe Mode" when loading documents that have been out of their control, as this mode restricts certain operations. Additionally, users are encouraged to store .ctl files in folders writable only by admin-level users and to apply a document editing password to their documents. Organizations should also minimize network exposure for all control system devices, ensuring they are not accessible from the internet, and locate control system networks behind firewalls isolated from business networks.
The vulnerability was reported to CISA by Rocco Calvi (@TecR0c) of TecSecurity and rgod of TrendAI Zero Day Initiative. CISA's advisory includes recommended practices for industrial control system security, emphasizing defense-in-depth strategies and the importance of reporting suspected malicious activity. The agency also reminds organizations to perform proper impact analysis and risk assessment before deploying defensive measures.
This advisory adds to a growing list of vulnerabilities disclosed by CISA in industrial control systems, highlighting the ongoing challenge of securing legacy and specialized software in critical infrastructure. While no active exploitation has been confirmed, the high CVSS score and the potential for code execution make this a significant concern for organizations relying on DAQFactory. CISA's guidance provides a clear path for mitigation, but the onus remains on operators to implement these measures promptly.