The Cybersecurity and Infrastructure Security Agency (CISA) published an industrial control systems advisory on June 18, 2026, identified as icsa-26-169-02, documenting a vulnerability in AzeoTech DAQFactory, a data acquisition and human-machine interface software product. The advisory records the flaw as CVE-2026-12390 and classifies it under CWE-843, Access of Resource Using Incompatible Type, commonly described as a type confusion vulnerability. According to the advisory, the affected versions are DAQFactory 21.1 and prior.

CISA's summary states that successful exploitation could allow an attacker to upload malicious .ctl files that may lead to arbitrary code execution. The advisory lists the affected product as deployed worldwide in the Critical Manufacturing sector, with the vendor headquartered in the United States. The CVE description in the advisory narrows the mechanism to the file format used by the software, framing exploitation as dependent on a user interacting with a crafted document.

"In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution."— CISA, source

How the advisory scores the flaw

The advisory records two CVSS metric sets for CVE-2026-12390. Under CVSS version 3.1, it lists a base score of 7.8 with a severity of HIGH and the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Under CVSS version 4.0, it lists a base score of 8.4, also rated HIGH, with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. In both vectors the attack vector is recorded as local (AV:L) and user interaction is required, which aligns with the advisory's description of the flaw being triggered through a crafted .ctl file rather than over a network connection.

CISA states in the advisory that no known public exploitation specifically targeting this vulnerability has been reported to the agency at this time, and that the vulnerability is not exploitable remotely. The CVSS vectors recorded in the advisory are consistent with that characterization: the local attack vector and the user interaction requirement both point to an exploitation path that runs through document handling on a host rather than direct remote access.

Mitigations listed in the advisory

The advisory enumerates four mitigations attributed to the vendor's guidance for users of the affected product. Per the advisory, users are discouraged from using documents from unknown or untrusted sources. The advisory also states that users are encouraged to store .ctl files in a folder only writeable by admin-level users, to operate in "Safe Mode" when loading documents that have been out of their control, and to apply a document editing password to their documents. Each of these measures is framed in the advisory around reducing the opportunity for a crafted file to reach and be opened by the software.

Beyond the product-specific mitigations, the advisory repeats CISA's standard recommended practices for control system environments. These include minimizing network exposure for control system devices so they are not accessible from the internet, locating control system networks and remote devices behind firewalls and isolating them from business networks, and using more secure methods such as virtual private networks when remote access is required, while recognizing that a VPN is only as secure as its connected devices. The advisory notes that CISA reminds organizations to perform impact analysis and risk assessment prior to deploying defensive measures.

The advisory credits the reporting of the vulnerability to Rocco Calvi (@TecR0c) of TecSecurity and to rgod of TrendAI Zero Day Initiative, both of whom the advisory states reported the issue to CISA. The revision history lists an initial release date of 2026-06-18, marking this as the first publication of the advisory. For organizations running DAQFactory in critical manufacturing settings, the record in icsa-26-169-02 is the primary reference point for the affected version range, the CVE identifier, and the mitigation steps as stated by CISA and the vendor.

The advisory places the flaw within the broader pattern of file-format vulnerabilities in operational technology software, where a project or configuration file functions as an executable input. The .ctl extension referenced throughout the advisory is the file type DAQFactory uses for its documents, and the type confusion condition described means the software can interpret data in such a file in a way that diverges from its intended type. CISA's recommended practices section closes by encouraging organizations that observe suspected malicious activity to follow established internal procedures and report findings to the agency for tracking and correlation against other incidents.

What the version range and CWE classification indicate

The single affected version range recorded in the advisory is DAQFactory at version 21.1 and prior, listed with a product status of known_affected. The advisory does not list a fixed version in its remediations section; instead, every remediation entry it carries is a mitigation rather than a patch reference. That distinction is reflected in the four mitigations attributed to the vendor, which center on controlling where .ctl files come from, restricting write access to the folders that hold them, loading untrusted documents in Safe Mode, and applying a document editing password. Each mitigation operates on the input side of the exploitation chain the advisory describes, where a malicious file must first reach the software and be opened.

The CWE-843 classification recorded in the advisory, Access of Resource Using Incompatible Type, describes a condition in which code accesses a resource using a type that is incompatible with the type for which it was originally allocated. The advisory ties that condition specifically to the .ctl document format, and the relevant CWE reference it provides points to CWE-843 in the MITRE catalog. The two CVSS vector strings recorded for CVE-2026-12390 both encode high confidentiality and integrity impacts, which corresponds to the advisory's stated outcome of code execution following the opening of a crafted file. For defenders running DAQFactory, the advisory's mitigation set and the recorded version range together define the immediate scope of the exposure as documented by CISA and the vendor.