CVE-2025-11084 is a security vulnerability classified under CWE-1390, indicating weak authentication mechanisms within Rockwell Automation's FactoryTalk® DataMosaix™ Private Cloud software. The vulnerability specifically arises during the MFA setup process. When MFA is enabled but not fully completed within a 7-day timeframe, the system fails to enforce MFA properly, allowing an attacker to bypass it. This bypass enables the attacker to obtain a valid login-token cookie without knowledge of the user's password, granting unauthorized access to the system. The affected versions include 7.11, 8.00, and 8.01. The CVSS 4.0 score is 7.6, reflecting high severity with an attack vector that is adjacent network (AV:A), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality and integrity (VC:H, VI:H). The vulnerability does not require authentication or user interaction, but the attacker must have network access to the affected system. No patches are currently listed, and no exploits have been observed in the wild. This vulnerability is critical for environments relying on FactoryTalk® DataMosaix™ Private Cloud for industrial automation data management, as unauthorized access could lead to data breaches and operational interference.

For European organizations, particularly those in manufacturing, industrial automation, and critical infrastructure sectors that rely on Rockwell Automation's FactoryTalk® DataMosaix™ Private Cloud, this vulnerability poses a significant risk. Unauthorized access through MFA bypass can lead to exposure of sensitive operational data, intellectual property theft, and potential manipulation of industrial processes. This could result in operational downtime, financial losses, and damage to reputation. The ability to obtain a valid login token without a password undermines trust in the authentication system and may facilitate further lateral movement within the network. Given the high adoption of Rockwell Automation products in European industrial hubs, the impact could be widespread. Additionally, regulatory compliance issues may arise if personal or sensitive data is compromised, leading to potential fines under GDPR. The lack of known exploits currently provides a window for proactive mitigation, but the high severity score indicates that exploitation could have serious consequences.

1. Enforce strict policies requiring MFA setup completion within a shorter timeframe than 7 days or disable accounts that do not complete MFA setup promptly. 2. Implement continuous monitoring and alerting for incomplete MFA setups and unusual token issuance activities. 3. Restrict network access to FactoryTalk® DataMosaix™ Private Cloud management interfaces to trusted IP ranges and use network segmentation to limit exposure. 4. Apply vendor patches immediately once available; engage with Rockwell Automation support to obtain updates or workarounds. 5. Conduct regular audits of authentication logs to detect anomalous login-token issuance or usage patterns. 6. Educate administrators and users about the importance of completing MFA setup promptly and securely. 7. Consider deploying additional compensating controls such as Web Application Firewalls (WAF) to detect and block suspicious authentication bypass attempts. 8. Integrate threat intelligence feeds to stay informed about emerging exploits targeting this vulnerability. 9. Review and harden overall identity and access management policies surrounding the affected product. 10. Prepare incident response plans specifically addressing potential unauthorized access scenarios related to this vulnerability.