Cyber Resilience

CVE-2025-66588

HighUpdated

Published: 11 December 2025

Published
11 December 2025
Modified
04 June 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 24.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66588 is a high-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Azeotech Daqfactory. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66588 is an Access of Uninitialized Pointer vulnerability (CWE-824) in AzeoTech DAQFactory release 20.7 (Build 2555). Published on 2025-12-11, this flaw allows exploitation leading to arbitrary code execution.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it highly severe. Remote attackers require no privileges or user interaction and face low attack complexity over the network, achieving high impacts on confidentiality, integrity, and availability through arbitrary code execution.

Mitigation guidance is available in CISA ICS Advisory ICSA-25-345-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03.

EU & UK References

Vulnerability details

In AzeoTech DAQFactory release 20.7 (Build 2555), an access of uninitialized pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote unauthenticated arbitrary code execution in a network-accessible application, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66590Same product: Azeotech Daqfactory
CVE-2025-66589Same product: Azeotech Daqfactory
CVE-2025-2173Shared CWE-824
CVE-2026-42959Shared CWE-824
CVE-2025-27162Shared CWE-824
CVE-2026-2785Shared CWE-824
CVE-2026-21276Shared CWE-824
CVE-2026-21275Shared CWE-824
CVE-2025-27158Shared CWE-824
CVE-2026-6757Shared CWE-824

Affected Assets

azeotech
daqfactory
≤ 21.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of software flaws like the uninitialized pointer vulnerability in DAQFactory 20.7 Build 2555 to prevent remote arbitrary code execution.

prevent

Prohibits deployment and use of unsupported system components, such as the vulnerable DAQFactory release, requiring replacement to eliminate exposure to this specific uninitialized pointer flaw.

prevent

Implements memory protection mechanisms like ASLR and DEP that hinder exploitation of uninitialized pointer dereferences for arbitrary code execution even if the underlying flaw persists.

References