CISA flags DAQFactory code-execution flaw without a patch
This is not an internet-facing emergency, but a file-handling bug with no listed fix is still phishing fuel for OT shops.
TL;DR
CISA warned that AzeoTech DAQFactory 21.1 and earlier has a type-confusion flaw, CVE-2026-12390, that can execute code through specially crafted .ctl files. The advisory rates it CVSS 7.8 under v3.1 and 8.4 under v4.0, and says no public exploitation has been reported. Contractors, MSPs, ISVs, and defense-industrial-base users running DAQFactory should treat untrusted project files as the attack path, because CISA listed mitigations but no patched release.
CISA’s advisory is narrow, which is useful. CVE-2026-12390 is not described as remotely exploitable, and the CVSS vector requires user action. The practical risk is the old OT problem with a new number: someone opens a crafted .ctl file in DAQFactory, and the file parser gives an attacker code execution in the current process.
For teams running DAQFactory 21.1 or earlier in critical manufacturing environments, the Monday work is file control, not emergency firewall theater. CISA says users should avoid documents from unknown or untrusted sources, keep .ctl files in folders writable only by administrators, use Safe Mode for documents that have left their control, and apply document editing passwords. Those are exposure reducers, not remediation. The advisory does not identify a vendor-fixed version.
That missing version number matters more than the CVSS score. Until AzeoTech or CISA names a release that closes CVE-2026-12390, contractors and service providers have a known social-engineering window around DAQFactory project files. Treat inbound .ctl files like executable content, because for this advisory, that is close enough to the truth.
Published ·Deep Fathom