CVE-2026-12390 PUBLISHED

Access of resource using incompatible type ('type confusion') in AzeoTech DAQFactory

Assigner: icscert
Reserved: 16.06.2026 Published: 18.06.2026 Updated: 18.06.2026

In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	AzeoTech
Product	DAQFactory
Versions	Default: unaffected affected from 0 to 21.1 (incl.)

Solutions

Users are discouraged from using documents from unknown/untrusted sources.
Users are encouraged to store .ctl files in a folder only writeable by admin-level users.
Users are encouraged to operate in “Safe Mode” when loading documents that have been out of their control.
Users are encouraged to apply a document editing password to their documents.

Credits

Rocco Calvi (@TecR0c) with TecSecurity finder
rgod working with TrendAI Zero Day Initiative finder

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-02

Problem Types

CWE-843 Access of resource using incompatible type ('type confusion') CWE