Rockwell Automation FactoryTalk DataMosaix Private Cloud

Plan PatchCVSS 8ICS-CERT ICSA-25-317-07Nov 11, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

FactoryTalk DataMosaix Private Cloud contains vulnerabilities (CVE-2025-11084, CVE-2025-11085) in authentication and session management that allow an attacker with user credentials to take over other accounts, steal credentials, redirect users to malicious sites, or bypass multi-factor authentication. Successful exploitation compromises access controls on a platform used for manufacturing data collection and analysis across enterprises running Rockwell Automation production systems.

What this means

What could happen

An attacker with user credentials could steal other user accounts, compromise credentials, redirect users to phishing sites, or bypass multi-factor authentication on the DataMosaix platform, potentially gaining access to sensitive manufacturing data and process control settings.

Who's at risk

Manufacturing operators and engineering teams using FactoryTalk DataMosaix Private Cloud for data collection, historical analysis, and process monitoring across discrete and batch industries (automotive, chemical, food & beverage, pharmaceuticals). This affects anyone with user access to the DataMosaix platform, particularly engineering workstations and operator HMIs that rely on DataMosaix for production data.

How it could be exploited

An attacker with valid user credentials logs into FactoryTalk DataMosaix Private Cloud and exploits authentication or session management flaws to escalate privileges, steal credentials from other users, or manipulate MFA controls. The attacker could then use these stolen credentials to access manufacturing data, historical logs, or configuration settings that control production processes.

Prerequisites

Valid user credentials for FactoryTalk DataMosaix Private Cloud
Access to the DataMosaix web interface (usually internal network access)
User interaction required (UI:R indicates social engineering or user-triggered action may be involved)

Requires valid credentials (lower attack surface)Low exploit complexityHigh confidentiality and integrity impactAffects data access layer critical to manufacturing visibilityUser interaction required for some attack vectors

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

2 with fix1 EOL

ProductAffected VersionsFix Status

FactoryTalk DataMosaix Private CloudAll versionsNo fix (EOL)

FactoryTalk DataMosaix Private Cloud: 7.11_8.00_8.017.11 8.00 8.018.02 (CVE-2025-11084), 8.01 (CVE-2025-11085)

FactoryTalk DataMosaix Private Cloud: 7.11_8.007.11 8.008.02 (CVE-2025-11084), 8.01 (CVE-2025-11085)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to FactoryTalk DataMosaix to only authorized internal users; do not expose to the Internet

HARDENINGEnforce multi-factor authentication for all DataMosaix user accounts

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

FactoryTalk DataMosaix Private Cloud

HOTFIXUpdate FactoryTalk DataMosaix Private Cloud to version 8.02 for CVE-2025-11084

HOTFIXUpdate FactoryTalk DataMosaix Private Cloud to version 8.01 for CVE-2025-11085

All products

HARDENINGAudit and disable unnecessary user accounts on DataMosaix Private Cloud; enforce strong password policies

CVEs (2)

CVE-2025-11084 CVE-2025-11085

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e8bbce06-04ba-44fc-8571-4a7db553f771

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.