Cyber Posture

CVE-2025-66588

Critical
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: affectedAppOther: not affectedOth

Published: 11 December 2025

Published
11 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66588 is a critical-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Azeotech Daqfactory. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of software flaws like the uninitialized pointer vulnerability in DAQFactory 20.7 Build 2555 to prevent remote arbitrary code execution.

SA-22 Unsupported System Components good match
prevent

Prohibits deployment and use of unsupported system components, such as the vulnerable DAQFactory release, requiring replacement to eliminate exposure to this specific uninitialized pointer flaw.

SI-16 Memory Protection partial match
prevent

Implements memory protection mechanisms like ASLR and DEP that hinder exploitation of uninitialized pointer dereferences for arbitrary code execution even if the underlying flaw persists.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables remote unauthenticated arbitrary code execution in a network-accessible application, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Uninitialized Pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution.

Deeper analysisAI

CVE-2025-66588 is an Access of Uninitialized Pointer vulnerability (CWE-824) in AzeoTech DAQFactory release 20.7 (Build 2555). Published on 2025-12-11, this flaw allows exploitation leading to arbitrary code execution.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it highly severe. Remote attackers require no privileges or user interaction and face low attack complexity over the network, achieving high impacts on confidentiality, integrity, and availability through arbitrary code execution.

Mitigation guidance is available in CISA ICS Advisory ICSA-25-345-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03.

Details

CWE(s)
CWE-824

Affected Products

azeotech
daqfactory
≤ 21.1

CVEs Like This One

CVE-2025-66590Same product: Azeotech Daqfactory
CVE-2025-2173Shared CWE-824
CVE-2026-21275Shared CWE-824
CVE-2026-2100Shared CWE-824
CVE-2025-26599Shared CWE-824
CVE-2026-6757Shared CWE-824
CVE-2026-2785Shared CWE-824
CVE-2025-27162Shared CWE-824
CVE-2025-32451Shared CWE-824
CVE-2026-21276Shared CWE-824

References