Persistent XSS Vulnerability in FactoryTalk DataMosaix Private Cloud
A high-severity persistent cross-site scripting (XSS) vulnerability, tracked as CVE-2025-11085, was identified in the FactoryTalk DataMosaix Private Cloud platform. This flaw allows remote attackers to execute malicious JavaScript within the application, potentially leading to account takeover, credential theft, or redirection to malicious websites. The vulnerability is remotely exploitable and was disclosed by Rockwell Automation's Product Security Incident Response Team (PSIRT).
Rockwell Automation published a security advisory (SD1758) confirming the existence of CVE-2025-11085, along with at least one other vulnerability (CVE-2025-11084) affecting the same product. The advisory states that the issue has been corrected, but no workaround is available. There is currently no evidence that the vulnerability has been exploited in the wild. Users of FactoryTalk DataMosaix Private Cloud are advised to apply the recommended updates to mitigate the risk associated with this vulnerability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA publishes ICS advisory on FactoryTalk DataMosaix Private Cloud
CISA released ICS advisory ICSA-25-317-07 covering Rockwell Automation FactoryTalk DataMosaix Private Cloud vulnerabilities. The advisory amplified the disclosure to the industrial control systems community.
CVE-2025-11085 persistent XSS vulnerability is publicly listed
A high-severity entry for CVE-2025-11085 identified a persistent cross-site scripting vulnerability in FactoryTalk DataMosaix Private Cloud. This represents public cataloging of one of the disclosed flaws.
Rockwell discloses multiple vulnerabilities in FactoryTalk DataMosaix Private Cloud
Rockwell Automation published security advisory SD1758 for FactoryTalk DataMosaix Private Cloud, disclosing multiple vulnerabilities affecting the product. The advisory marks the vendor's public disclosure of the issue set.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Rockwell Automation FactoryTalk DataMosaix Private Cloud
cisa.gov
Open sourceCVE-2025-11085 - FactoryTalk® DataMosaix™ Private Cloud – Persistent XSS
cvefeed.io
Open sourceFactoryTalk® DataMosaix™ Private Cloud – Multiple Vulnerabilities
rockwellautomation.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Rockwell FactoryTalk DataMosaix SQL Injection Vulnerability
Rockwell Automation disclosed a high-severity SQL injection vulnerability (CVE-2025-12807) affecting its FactoryTalk® DataMosaix™ Private Cloud product. The flaw, discovered during internal testing, could allow attackers to tamper with industrial data or cause denial-of-service conditions impacting safety devices, with remediation requiring manual intervention. The company has released a security advisory detailing the issue, confirming that no known exploitation has occurred and providing guidance for customers to address the vulnerability. Security researchers highlighted the risk of data tampering and operational disruption in industrial environments due to this SQL injection flaw. The vulnerability underscores the importance of timely patching and manual remediation in critical infrastructure systems, as automated fixes are not available. Organizations using affected Rockwell products are urged to review the official advisory and implement recommended mitigations to protect against potential exploitation.
Mar 21, 2026
Multiple High-Severity Vulnerabilities in Rockwell Automation FactoryTalk Products
Rockwell Automation has disclosed several high-severity vulnerabilities affecting its FactoryTalk product line, including FactoryTalk View Machine Edition, PanelView Plus 7, and FactoryTalk ViewPoint. One of the vulnerabilities, tracked as CVE-2025-9064, is a path traversal issue in FactoryTalk View Machine Edition that allows unauthenticated attackers on the same network to delete arbitrary files from the device’s operating system, provided they know the filenames. This vulnerability is remotely exploitable and could lead to significant disruption or loss of critical files on affected devices. The company’s advisory SD1753 confirms that both FactoryTalk View Machine Edition and PanelView Plus 7 are impacted by this flaw, and that mitigations and workarounds are available. Another critical vulnerability, CVE-2025-9066, affects FactoryTalk ViewPoint and enables unauthenticated attackers to exploit XML External Entity (XXE) processing via certain SOAP requests. Successful exploitation of this flaw can result in a temporary denial-of-service condition, potentially disrupting industrial operations. Rockwell Automation’s advisory SD1752 details the XXE vulnerability, noting that it was discovered internally during routine security testing and that no known exploitation in the wild has been reported. Both vulnerabilities have been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk to industrial environments where these products are deployed. The advisories state that patches and workarounds are available, and customers are urged to apply them promptly to mitigate risk. The company emphasizes that the vulnerabilities are not currently known to be exploited in the wild, but the potential impact on industrial control systems is significant due to the products’ widespread use. The advisories also highlight Rockwell Automation’s commitment to transparency and proactive security practices, as these issues were identified through internal testing rather than external reports. Customers are encouraged to review the official advisories and implement recommended mitigations, including network segmentation and limiting access to trusted users. The affected products are commonly used in industrial automation environments, making timely remediation critical to prevent potential operational disruptions. The advisories provide detailed technical information and guidance for system administrators to assess and address the vulnerabilities. Rockwell Automation has made available downloadable advisories in Vulnerability Exploitability Exchange format for integration with vulnerability management tools. The company’s response includes both immediate patches and suggested workarounds for environments where patching may not be immediately feasible. Organizations using FactoryTalk View Machine Edition, PanelView Plus 7, or FactoryTalk ViewPoint should prioritize reviewing their exposure and applying the recommended security measures.
Mar 21, 2026
Rockwell Automation FactoryTalk Linx Privilege Escalation Vulnerabilities via MSI Repair Functionality
Rockwell Automation has disclosed two high-severity privilege escalation vulnerabilities affecting its FactoryTalk Linx software, specifically related to the Microsoft Installer (MSI) repair functionality. The vulnerabilities, tracked as CVE-2025-9067 and CVE-2025-9068, impact both the x86 and x64 versions of the FactoryTalk Linx driver package. Authenticated attackers with valid Windows user credentials can exploit these flaws by initiating a repair operation on the MSI installer. During this process, the attacker can hijack the resulting console window, which is associated with the vbpinstall.exe process. This hijacking enables the attacker to launch a command prompt with SYSTEM-level privileges, granting them full access to all files, processes, and system resources on the affected system. The vulnerabilities are not remotely exploitable, requiring local access and valid credentials to carry out the attack. Rockwell Automation has acknowledged the issue and published a security advisory (SD1754) on October 14, 2025, outlining the risks and available mitigations. As of the advisory's publication, no official patch or correction has been released, but workarounds are available to reduce the risk of exploitation. The vulnerabilities have not been reported as known to be exploited in the wild at the time of disclosure. Both CVE-2025-9067 and CVE-2025-9068 were assigned a high CVSS score of 8.5, reflecting the significant risk posed by potential privilege escalation. The advisory emphasizes the importance of restricting access to systems running FactoryTalk Linx and ensuring that only trusted users have local access. Organizations are encouraged to review the provided workarounds and monitor for future updates regarding patches or permanent fixes. The vulnerabilities highlight the ongoing risks associated with installer repair functionalities, which can be abused for privilege escalation if not properly secured. Rockwell Automation's Product Security Incident Response Team (PSIRT) is the source of the vulnerability disclosures. The affected product versions have not been explicitly listed, but all users of FactoryTalk Linx are advised to assess their exposure. The advisory is part of Rockwell Automation's commitment to transparency and proactive security communication with its customers. Industrial organizations using FactoryTalk Linx should prioritize reviewing their security posture in light of these vulnerabilities. The disclosure underscores the need for robust access controls and monitoring on critical industrial automation systems. Ongoing vigilance and timely application of mitigations are essential to prevent potential exploitation of these privilege escalation flaws.
Mar 21, 2026