Industrial organizations received an urgent wake-up call on June 18, 2026, when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released advisory ICSA-26-169-02. The advisory warns that a type-confusion vulnerability in AzeoTech DAQFactory, a widely used data acquisition and control application for Windows, can allow attackers to hijack systems simply by tricking users into opening a malicious project file. Tracked as CVE-2026-12390, the flaw affects DAQFactory version 21.1 and all prior releases, leaving countless industrial control environments exposed to remote code execution attacks.
This isn’t a theoretical risk. The .ctl files that DAQFactory uses to store project configurations—containing everything from sensor layouts to scripting logic—can now serve as delivery vehicles for arbitrary code. The vulnerability sits at the intersection of IT and operational technology (OT), and for Windows-reliant industrial networks, it represents one of the most dangerous vectors uncovered in 2026.
What is DAQFactory and Why It Matters for Windows Users
AzeoTech DAQFactory is a stalwart in the industrial automation space. It enables engineers to build human-machine interfaces (HMIs), log sensor data, automate equipment, and visualize real-time processes—all on standard Windows desktops or servers. Its scripting engine, drag-and-drop form designer, and extensive protocol support have made it a favorite for applications ranging from laboratory experiments to water treatment plants and energy management systems.
Because DAQFactory runs natively on Windows, it inherits the operating system’s wide attack surface. A compromise of the application can easily escalate to a full system compromise, granting attackers access to the underlying OS, domain credentials, and lateral movement possibilities. The software’s centrality to process control means that successful exploitation could disrupt physical operations, not just digital assets.
Type Confusion: A Primer
Type confusion vulnerabilities arise when a program expects one data type but receives another, leading to memory corruption or logic errors. In languages like C++ (which DAQFactory’s runtime likely employs), object pointers can be reinterpreted incorrectly, causing the program to execute unintended code paths. Attackers carefully craft input—in this case, a .ctl file—to trigger a mismatch, tricking the application into treating one object as a different, more powerful one.
The result is often arbitrary code execution with the privileges of the vulnerable process. If the process runs with elevated rights or can be leveraged to gain those rights, the attacker seizes control of the entire machine. This class of bugs has haunted major platforms for decades, from browser engines to antivirus products, and its appearance in an OT-oriented tool underscores how industrial software often lags behind in memory safety hardening.
The .ctl File Attack Vector
DAQFactory stores entire project configurations in files with the .ctl extension. These files bundle control logic, communication settings, screen layouts, and even embedded scripts. Under normal circumstances, double-clicking a .ctl file launches DAQFactory and loads the project—exactly what a plant operator does hundreds of times per shift.
CVE-2026-12390 weaponizes that routine action. By crafting a .ctl file with malformed structures that trigger type confusion during parsing, an attacker can force the application to execute arbitrary system commands, install malware, or alter industrial processes on the fly. The malicious file could arrive via a phishing email, a compromised USB drive, or a poisoned network share. Because .ctl files are trusted artifacts in OT environments, they rarely attract the same suspicion as an .exe or .msi file, making social engineering that much easier.
CVE-2026-12390 in Detail
According to CISA’s advisory, the flaw resides in DAQFactory’s handling of certain project components. The specific technical details remain under coordinated disclosure, but a type-confusion issue typically involves a vulnerable parsing function that erroneously casts a data object. For example, the application might read a sequence of bytes intended as a harmless configuration parameter but interpret it as a callback pointer to an attacker-controlled address.
Versions 21.1 and earlier are confirmed susceptible. AzeoTech likely introduced the update in a later release—perhaps version 21.2 or a dedicated security patch—but ICSA-26-169-02 is the first public documentation. CISA assigned a CVSS base score of 8.8, reflecting high severity due to low attack complexity, lack of privileges required, and the need for user interaction (opening the file). The impact on confidentiality, integrity, and availability is rated as high.
Critically, exploiting CVE-2026-12390 does not require authentication or special privileges on the target system. The attacker only needs to get the victim to load the poisoned .ctl file. Once executed, the code runs in the context of the DAQFactory process, which typically has read/write access to sensitive process data and network connected controllers.
Exploitation and Impact
Imagining a real-world scenario clarifies the danger. An attacker sends a spear-phishing email to a maintenance engineer with a subject line: “Updated pump sequence for Line 4 – please review.” Attached is a .ctl file named “line4_sequence_v3.ctl.” The engineer, accustomed to sharing such files with colleagues, opens it directly. DAQFactory parses the file, hits the type confusion, and the embedded payload downloads a remote access trojan. Within minutes, the attacker has a foothold on a Windows PC inside the process control network.
From there, the intruder can pivot to PLCs, SCADA servers, or the corporate IT side. Depending on the network architecture, the entire plant floor could be at risk. Because OT environments often lack the layered defenses of modern enterprises, a single compromised workstation can be a catastrophe. Asset owners must assume that skilled adversaries—whether cybercriminals aiming for ransomware or nation-state actors seeking to disrupt critical infrastructure—will quickly weaponize this bug.
Mitigation and Workarounds
CISA’s advisory provides a clear path to remediation. The first step is to consult the ICS advisory for AzeoTech’s official patch. While the vendor has not announced a specific update version in the public excerpt, advisory ICSA-26-169-02 typically includes vendor instructions. In past ICS advisories, a patched version would be clearly listed. If AzeoTech releases DAQFactory 21.2 or a hotfix, immediate deployment is critical. Organizations should subscribe to the vendor’s update mailing list to receive the fix as soon as it’s available.
Until the patch is applied, operators must restrict the opening of .ctl files from untrusted sources. Disable the automatic association of .ctl files with DAQFactory on all non-engineering workstations. Implement application whitelisting to prevent unauthorized executables from running even if a breech occurs. Network segmentation should isolate HMI/SCADA systems from corporate LANs and the internet. The principle of least privilege mandates that DAQFactory processes run with the minimum necessary rights, never with administrative credentials.
Additionally, consider file-integrity monitoring and endpoint detection solutions that can alert on anomalous process behavior triggered by file parsing. User awareness training must emphasize that .ctl files are not harmless—they are executable code containers.
Industrial Windows Security Under Scrutiny
The DAQFactory advisory is the latest in a string of ICS-related vulnerabilities targeting Windows. From the TRISIS malware that manipulated safety instrumented systems to the more recent CODESYS flaws, threat actors recognize that Windows is the common desktop for industrial engineering and HMIs. Every unpatched HMI or engineering tool becomes a potential entry point.
Type confusion bugs, in particular, have become a recurring theme. In 2024, a similar issue in a widely used OPC-UA client allowed crafted configuration files to crash or compromise Windows machines. The pattern underscores a systemic problem: industrial software developers often port legacy codebases forward without adopting memory-safe languages like Rust or rigorous fuzzing regimes. The result is decades-old bug classes persisting in contemporary products.
Regulatory pressure is mounting. In the U.S., the Cybersecurity and Infrastructure Security Agency has expanded its binding operational directives for critical infrastructure. Facility operators found willfully ignoring known vulnerabilities face penalties. For many plants, however, the operational imperative to keep systems online conflicts with the need to patch quickly. This vulnerability may force a reckoning, as the simplicity of the attack vector makes it too dangerous to defer.
Conclusion
CISA’s ICSA-26-169-02 is a reminder that in the interconnected world of industrial automation, a single project file can be a deadly weapon. AzeoTech DAQFactory has been a dependable tool for decades, but the discovery of CVE-2026-12390 means that trust must now be verified. Organizations that run DAQFactory on Windows should treat this advisory with the urgency it merits—patch immediately, scrutinize every .ctl file, and reinforce network defenses.
The real question is not whether attackers will exploit this flaw, but how quickly they will do so. With proof-of-concept code often following within days of a CISA advisory, the window of safety is closing fast. Industrial security teams must act now to turn the .ctl file from an instrument of compromise back into a simple configuration document.