CVE-2025-66588
Published: 11 December 2025
Description
In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Uninitialized Pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution.
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of software flaws like the uninitialized pointer vulnerability in DAQFactory 20.7 Build 2555 to prevent remote arbitrary code execution.
Prohibits deployment and use of unsupported system components, such as the vulnerable DAQFactory release, requiring replacement to eliminate exposure to this specific uninitialized pointer flaw.
Implements memory protection mechanisms like ASLR and DEP that hinder exploitation of uninitialized pointer dereferences for arbitrary code execution even if the underlying flaw persists.
Security SummaryAI
CVE-2025-66588 is an Access of Uninitialized Pointer vulnerability (CWE-824) in AzeoTech DAQFactory release 20.7 (Build 2555). Published on 2025-12-11, this flaw allows exploitation leading to arbitrary code execution.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it highly severe. Remote attackers require no privileges or user interaction and face low attack complexity over the network, achieving high impacts on confidentiality, integrity, and availability through arbitrary code execution.
Mitigation guidance is available in CISA ICS Advisory ICSA-25-345-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated arbitrary code execution in a network-accessible application, directly mapping to exploitation of public-facing applications.