Rockwell Automation FactoryTalk DataMosaix: 2025 ICS Cloud Vulnerabilities Expose Industrial Risk
Executive Summary
In November 2025, Rockwell Automation disclosed two critical vulnerabilities in its FactoryTalk DataMosaix Private Cloud platform, widely used across critical manufacturing sectors. The flaws include a weak authentication mechanism (CVE-2025-11084) that enables attackers to bypass MFA and gain unauthorized access, and a persistent cross-site scripting bug (CVE-2025-11085) that could facilitate account takeover, credential theft, or redirecting users to malicious sites. Rockwell and CISA jointly warned that attackers could exploit these remotely and potentially take control of sensitive ICS data or operations globally, demanding urgent updates.
These vulnerabilities underscore rising risks tied to identity-driven attacks and web-based threats targeting industrial control environments. With Ransomware-as-a-Service and supply chain attacks escalating, organizations in critical sectors face mounting pressure to implement multi-layered controls and update legacy authentication practices.
Why This Matters Now
Exploitable ICS authentication and XSS flaws present an attractive and relatively low-complexity opportunity for malicious actors to compromise critical infrastructure. As threat actors increasingly seek entry points that bypass or weaken perimeter defenses, addressing these vulnerabilities swiftly is essential to maintain operational resilience and regulatory compliance.
Attack Path Analysis
The attacker exploited a weak authentication flaw to bypass MFA and obtain valid session tokens, gaining initial access to the FactoryTalk DataMosaix Private Cloud. Leveraging this foothold, the adversary escalated privileges by hijacking identities or tokens, potentially using cross-site scripting to steal credentials from other users. Once inside, lateral movement was achieved through compromised session tokens or exploiting internal APIs and service misconfigurations to access broader cloud and OT environments. The attacker established command and control by maintaining persistent access and potentially using outbound connections or web shells to remotely manage the compromised environment. Sensitive data could be exfiltrated through unmonitored outbound channels, including cloud storage or covert egress methods. Finally, impact could involve account or data manipulation, business disruption, or persistence for future attacks.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the weak authentication vulnerability (CVE-2025-11084) to bypass MFA requirements and obtain a valid session token, granting access without needing legitimate credentials.
Related CVEs
CVE-2025-11084
CVSS 6.8A vulnerability in DataMosaix™ Private Cloud allows attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the user's password when MFA is enabled but not completed within a 7-day period.
Affected Products:
Rockwell Automation FactoryTalk DataMosaix Private Cloud – 7.11, 8.00, 8.01
Exploit Status:
no public exploitCVE-2025-11085
CVSS 8A vulnerability in DataMosaix™ Private Cloud allows for Persistent XSS, potentially leading to account takeover, credential theft, or redirection to a malicious website.
Affected Products:
Rockwell Automation FactoryTalk DataMosaix Private Cloud – 7.11, 8.00
Exploit Status:
no public exploitCVE-2025-12807
CVSS 8.8A security issue in DataMosaix™ Private Cloud allows users with low privilege to perform sensitive database operations through exposed API endpoints.
Affected Products:
Rockwell Automation FactoryTalk DataMosaix Private Cloud – 7.11, 8.00, 8.01
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Modify Authentication Process: Credential Security Support Provider (CredSSP)
Valid Accounts
Exploit Public-Facing Application
Input Capture: Keylogging
Drive-by Compromise
Command and Scripting Interpreter: JavaScript
Account Discovery: Domain Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication and Multi-Factor Authentication (MFA)
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA (Digital Operational Resilience Act) – ICT Risk Management – Identification and Mitigation of Vulnerabilities
Control ID: Article 9(2)
CISA ZTMM 2.0 – Enforce Strong Authentication Methods
Control ID: Identity & Access Management – Authentication Strength
NIS2 Directive – Policies on Access Control and Asset Management
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical Manufacturing sector faces severe risks from FactoryTalk DataMosaix vulnerabilities enabling MFA bypass and credential theft in industrial control systems.
Automotive
Manufacturing operations vulnerable to account takeover and malicious website redirection through weak authentication and cross-site scripting in industrial control platforms.
Oil/Energy/Solar/Greentech
Energy infrastructure at risk from exploitable industrial control system vulnerabilities allowing remote attackers to bypass multi-factor authentication and steal credentials.
Utilities
Critical infrastructure operators face immediate threats from persistent cross-site scripting and authentication bypass vulnerabilities in widely-deployed industrial automation systems.
Sources
- Rockwell Automation FactoryTalk DataMosaix Private Cloudhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-317-07Verified
- Rockwell Automation Security Advisory SD1758https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1758.htmlVerified
- Rockwell Automation Security Advisory SD1765https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1765.htmlVerified
- NVD Entry for CVE-2025-11084https://nvd.nist.gov/vuln/detail/CVE-2025-11084Verified
- NVD Entry for CVE-2025-11085https://nvd.nist.gov/vuln/detail/CVE-2025-11085Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, continuous traffic inspection, and robust egress controls would have restricted the adversary’s ability to move laterally, exfiltrate sensitive ICS data, and maintain persistence. CNSF-aligned controls such as microsegmentation, inline IPS, encrypted traffic enforcement, and threat detection would have either prevented or detected key moments in the kill chain, containing the attack at multiple stages.
Control: Inline IPS (Suricata)
Mitigation: Potential prevention of unauthorized session generation or detection of anomaly indicative of exploit.
Control: Zero Trust Segmentation
Mitigation: Restricted access scope and containment of post-compromise account escalation.
Control: East-West Traffic Security
Mitigation: Detection or interruption of unauthorized lateral movements between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 traffic blocked or identified during attempted remote management.
Control: Encrypted Traffic (HPE) and Cloud Firewall (ACF)
Mitigation: Data exfiltration attempts detected or blocked on unapproved channels.
Real-time alerting and rapid response to malicious account changes or system disruptions.
Impact at a Glance
Affected Business Functions
- Data Management
- User Authentication
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of user credentials and sensitive data due to account takeover and unauthorized database operations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and east-west traffic controls to minimize lateral movement risk within ICS/cloud networks.
- • Deploy inline IPS and anomaly detection to quickly identify and block authentication bypass or session hijack attempts.
- • Enforce granular egress security and FQDN filtering to prevent unauthorized outbound C2 and exfiltration channels.
- • Ensure all sessions and data in transit are encrypted and actively inspected to protect against interception and data leakage.
- • Maintain comprehensive centralized visibility and continuous incident response readiness to rapidly contain and remediate breaches.
