CVE-2025-11084 is a vulnerability classified under CWE-1390 (Weak Authentication) affecting Rockwell Automation's FactoryTalk® DataMosaix™ Private Cloud versions 7.11, 8.00, and 8.01. The flaw arises during the MFA setup process: when MFA is enabled but not fully completed within a 7-day period, an attacker can bypass the MFA mechanism entirely. This bypass allows the attacker to obtain a valid login-token cookie without needing the user's password, effectively granting unauthorized access to the system. The vulnerability is exploitable remotely but requires adjacent network access, indicating that the attacker must be on the same local network or have similar network proximity. The CVSS 4.0 score is 7.6 (high severity), reflecting the significant impact on confidentiality and integrity, with no user interaction or authentication required. The vulnerability does not currently have known exploits in the wild, but its presence in critical industrial cloud infrastructure poses a substantial risk. The weakness stems from insufficient enforcement of MFA completion and session management during the initial setup phase, allowing session tokens to be issued prematurely or without proper verification. This can lead to unauthorized access, data exposure, and potential manipulation of industrial control data managed by the affected cloud platform.

For European organizations, particularly those in manufacturing, industrial automation, and critical infrastructure sectors relying on FactoryTalk® DataMosaix™ Private Cloud, this vulnerability could lead to unauthorized access to sensitive operational data and control systems. Attackers exploiting this flaw could bypass MFA protections, potentially leading to data breaches, disruption of industrial processes, or manipulation of factory automation workflows. Given the role of Rockwell Automation products in European industrial environments, exploitation could undermine operational integrity and availability, causing financial losses and safety risks. The ability to obtain valid login tokens without passwords increases the risk of lateral movement within networks and persistent unauthorized access. This is especially critical for organizations with stringent regulatory compliance requirements such as GDPR and NIS Directive, where unauthorized access and data compromise can result in legal and reputational consequences.

1. Enforce strict policies that require immediate completion of MFA setup upon enabling, disallowing any grace periods that permit incomplete MFA states. 2. Implement monitoring and alerting for accounts with incomplete MFA setup beyond a short threshold (preferably less than 7 days) to detect potential exploitation attempts. 3. Restrict network access to the FactoryTalk® DataMosaix™ Private Cloud management interfaces to trusted and segmented network zones, minimizing exposure to adjacent network attackers. 4. Apply vendor patches or updates as soon as they become available to address this vulnerability directly. 5. Conduct regular audits of session management and authentication flows to ensure tokens are only issued after successful MFA completion. 6. Employ additional compensating controls such as network-level MFA enforcement or VPN access restrictions to reduce attack surface. 7. Educate administrators and users about the importance of completing MFA setup promptly and reporting any anomalies.