Rockwell Automation FactoryTalk DataMosaix Private Cloud

Plan Patch8ICS-CERT ICSA-25-317-07Nov 13, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

FactoryTalk DataMosaix Private Cloud versions 7.11_8.00 and 7.11_8.00_8.01 contain input validation flaws (CWE-1390, CWE-116) that allow authenticated users with low privileges to perform account takeover, steal credentials, redirect users to malicious websites, and bypass multi-factor authentication. Successful exploitation requires the attacker to have valid user credentials and to convince a user to click a malicious link or interact with attacker-controlled content.

What this means

What could happen

An authenticated attacker with low privileges could hijack user accounts, steal credentials, redirect users to phishing sites, or bypass multi-factor authentication on FactoryTalk DataMosaix Private Cloud, gaining access to plant configuration and historical data systems that operators rely on for process visibility and decision-making.

Who's at risk

Water authorities and utilities using FactoryTalk DataMosaix Private Cloud for SCADA data analysis, historian access, and plant performance dashboards should prioritize this. Any facility relying on DataMosaix for process visibility and reporting is affected, particularly those with multi-user access or remote operators.

How it could be exploited

An attacker needs valid low-privilege credentials to log into FactoryTalk DataMosaix Private Cloud. Once authenticated, the attacker can exploit insufficient input validation to perform account takeover, credential theft, phishing redirection, or MFA bypass attacks. The attack requires user interaction (clicking a link or opening content sent by the attacker).

Prerequisites

Valid low-privilege user credentials for FactoryTalk DataMosaix Private Cloud
Network access to the FactoryTalk DataMosaix Private Cloud web interface
Target user must click a link or interact with attacker-supplied content

Low attack complexityRequires valid user credentialsRequires user interactionAffects high-value data access (credentials, process configuration, historical data)No patch currently available for versions 7.11_8.00 and 7.11_8.00_8.01CVSS 8.0 (High severity)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FactoryTalk DataMosaix Private Cloud: 7.11_8.00_8.017.11 8.00 8.018.02 (CVE-2025-11084), 8.01 (CVE-2025-11085)

FactoryTalk DataMosaix Private Cloud: 7.11_8.007.11 8.008.02 (CVE-2025-11084), 8.01 (CVE-2025-11085)

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGEducate users not to click unsolicited links or open attachments in emails related to FactoryTalk access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk DataMosaix Private Cloud to Version 8.02 (fixes CVE-2025-11084)

HOTFIXUpdate FactoryTalk DataMosaix Private Cloud to Version 8.01 (fixes CVE-2025-11085)

Long-term hardening

0/3

HARDENINGIsolate FactoryTalk DataMosaix Private Cloud from the Internet; place behind firewall and separate from business networks

HARDENINGUse VPN with multi-factor authentication for all remote access to FactoryTalk DataMosaix Private Cloud

HARDENINGMonitor and enforce strong password policies and credential hygiene for all FactoryTalk DataMosaix users

CVEs (2)

CVE-2025-11084 CVE-2025-11085

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e8bbce06-04ba-44fc-8571-4a7db553f771