CISA has issued an updated ICS advisory (ICSA-26-169-02, Update A) covering two high-severity vulnerabilities in AzeoTech DAQFactory, a data acquisition and HMI software platform used in critical manufacturing environments worldwide. Both flaws can be triggered by persuading a user to open a specially crafted .ctl file, and successful exploitation can result in full code execution on the target system.

Vulnerability Details

The advisory covers two distinct memory-safety issues, both affecting DAQFactory versions 21.1 and earlier:

  • CVE-2026-12390 (Type Confusion, CWE-843): A type confusion flaw that allows an attacker to supply a malformed .ctl file, causing the application to access memory using an incompatible type. This can lead to arbitrary code execution.
  • CVE-2026-12921 (Use After Free, CWE-416): A use-after-free condition also triggered through a crafted .ctl file, similarly resulting in code execution.

Both vulnerabilities carry a CVSS v3.1 base score of 7.8 (HIGH) and a CVSS v4.0 score of 8.4 (HIGH). The attack vector is local in both cases, requiring user interaction but no elevated privileges.

Mitigations

No patch has been announced at this time. CISA and AzeoTech recommend the following defensive measures:

  • Avoid opening .ctl files from unknown or untrusted sources.
  • Restrict write access to .ctl file storage directories to administrator-level accounts only.
  • Use the application’s built-in Safe Mode when loading files that have left operator control.
  • Apply a document editing password to DAQFactory projects.

CISA also advises broader ICS hardening practices: isolate control system networks from business networks using firewalls, avoid direct internet exposure of control system devices, and use VPNs for any required remote access while keeping VPN software current.

Scope and Exploitation Status

The vulnerabilities are not remotely exploitable and require local access combined with user interaction, limiting the immediate attack surface. CISA has noted no known public exploitation targeting these vulnerabilities at the time of publication. The advisory affects deployments globally across the critical manufacturing sector.

The vulnerabilities were reported to CISA by Rocco Calvi of TecSecurity and rgod of TrendAI Zero Day Initiative. Update A, published June 25, 2026, added CVE-2026-12921 and revised advisory wording from the initial June 18 release.