Type Confusion Flaw in AzeoTech DAQFactory Enables Code Execution via .ctl Files
CISA issued an advisory for CVE-2026-12390, a high-severity type confusion vulnerability in AzeoTech DAQFactory 21.1 and earlier that can allow arbitrary code execution when a user opens a specially crafted .ctl file. The flaw affects software used in the critical manufacturing sector and deployed environments worldwide, and CISA assigned it a CVSS v3.1 score of 7.8 and a CVSS v4.0 score of 8.4.
The vulnerability is not remotely exploitable and requires user interaction, but successful exploitation could result in malicious file upload and code execution on affected systems. CISA and related vulnerability reporting recommend upgrading DAQFactory to a version later than 21.1, applying vendor patches, and avoiding untrusted .ctl files; no known public exploitation has been reported.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CVE-2026-12390 published for AzeoTech DAQFactory
A high-severity type confusion vulnerability affecting AzeoTech DAQFactory version 21.1 and earlier was published as CVE-2026-12390. The flaw can be triggered via a specially crafted .ctl file and may allow arbitrary code execution; CISA noted no known public exploitation at the time of disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Memory Vulnerabilities in AzeoTech DAQFactory
AzeoTech DAQFactory, a software and application development platform, has been found to contain several high-severity memory vulnerabilities in release 20.7 (Build 2555) and prior. Notably, these include an Out-of-bounds Read (CVE-2025-66589) and an Out-of-bounds Write (CVE-2025-66590), both of which can be exploited by attackers through the upload of a malicious `.ctl` file. The Out-of-bounds Read vulnerability may allow attackers to disclose sensitive information or cause a system crash, while the Out-of-bounds Write vulnerability could lead to arbitrary code execution or a system crash. Both vulnerabilities have been assigned a CVSS v4 base score of 8.4, indicating a high level of risk. According to CISA and CVE advisories, successful exploitation of these vulnerabilities does not require remote access but does require the attacker to upload a crafted file. Additional vulnerabilities, such as Access of Uninitialized Pointer, Heap-based Buffer Overflow, Type Confusion, Use After Free, and Stack-based Buffer Overflow, have also been identified in the same product version, further increasing the risk profile for organizations using AzeoTech DAQFactory. Users are advised to review official advisories and apply mitigations as soon as possible to reduce exposure to these threats.
Mar 21, 2026
Delta Electronics CNCSoft-G2 DPAX File Parsing Out-of-Bounds Write RCE
**Delta Electronics CNCSoft-G2** contains an out-of-bounds write vulnerability in the *DOPSoft* component’s **DPAX file parsing** that can lead to **remote code execution** in the context of the current process. The issue is tracked as **CVE-2026-3094** (ZDI-CAN-28415 / **ZDI-26-151**) and is rated **CVSS 7.8 (High)** with the vector `CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`; exploitation requires **user interaction** (e.g., opening a malicious file or visiting a malicious page that triggers processing of attacker-controlled content). Affected versions are **CNCSoft-G2 prior to V2.1.0.39** (CWE-787), and Delta Electronics has issued an update to remediate the flaw. CISA’s ICS advisory highlights the potential impact to **critical manufacturing** environments and recommends standard OT hardening measures, including minimizing network exposure of control system assets, placing devices behind firewalls and isolating OT from business networks, and using more secure remote access methods (e.g., VPNs) when remote connectivity is required. Separately, CISA also added **Hikvision CVE-2017-7921** and **Rockwell Automation CVE-2021-22681** (both **CVSS 9.8**) to the **Known Exploited Vulnerabilities (KEV)** catalog due to evidence of active exploitation; this KEV action is unrelated to the Delta Electronics CNCSoft-G2 disclosure and represents a different set of exploited product vulnerabilities requiring separate remediation prioritization.
Mar 21, 2026
Relative Path Traversal Vulnerability in AutomationDirect Productivity Suite
A critical relative path traversal vulnerability, identified as CVE-2025-62498, was discovered in *AutomationDirect Productivity Suite* software, specifically affecting versions up to 4.4.1.19. This vulnerability, also known as ZipSlip, allows an attacker who can tamper with a productivity project file to execute arbitrary code on the machine where the project is opened. The flaw is remotely exploitable and has been assigned a CVSS v3.1 base score of 8.8 and a CVSS v4 score of 9.3, indicating high severity. The vulnerability impacts multiple *Productivity* PLC models, including Productivity 3000, 2000, and 1000 series CPUs running affected software versions. Successful exploitation could enable attackers to gain full control over the affected system, potentially leading to information disclosure, unauthorized file access, or further compromise of industrial control environments. The vulnerability was reported to ICS-CERT, and advisories have been published to inform users and administrators of the risk and to recommend mitigation steps. No affected product table was provided in the CVE feed, but CISA's advisory lists specific impacted models and software versions, emphasizing the need for immediate attention from organizations using these products in critical infrastructure environments.
Mar 21, 2026