CVE-2025-11085 is a persistent cross-site scripting (XSS) vulnerability identified in Rockwell Automation's FactoryTalk® DataMosaix™ Private Cloud software versions 7.11 and 8.00. The root cause is improper encoding or escaping of output data (classified under CWE-116), which allows attackers to inject malicious JavaScript code that persists within the application. When a victim accesses the compromised data, the malicious script executes in their browser context, potentially enabling attackers to hijack user sessions, steal credentials, or redirect users to malicious websites. The vulnerability is remotely exploitable over the network without requiring authentication, although user interaction (such as visiting a crafted URL or viewing malicious content) is necessary for exploitation. The CVSS 4.0 base score of 8.6 reflects a high severity level, driven by the network attack vector, low attack complexity, no privileges required, but requiring user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on FactoryTalk® DataMosaix™ Private Cloud for industrial data management and automation. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies. Persistent XSS in industrial control system software is particularly concerning due to the potential for lateral movement, data exfiltration, and disruption of operational technology environments.

For European organizations, especially those in manufacturing, industrial automation, and critical infrastructure sectors, this vulnerability could lead to severe operational disruptions. Exploitation may result in unauthorized access to sensitive operational data, manipulation of control systems, and compromise of user accounts with elevated privileges. The persistent nature of the XSS increases the risk of prolonged exposure and exploitation. Credential theft could facilitate further attacks within the network, including lateral movement and sabotage. Additionally, redirection to malicious websites could lead to broader phishing campaigns targeting employees. Given the widespread use of Rockwell Automation products in European industrial environments, the threat could impact production continuity, safety systems, and regulatory compliance, potentially causing financial losses and reputational damage.

Organizations should prioritize the following mitigations: 1) Monitor Rockwell Automation advisories closely and apply security patches immediately upon release. 2) Implement strict input validation and output encoding on all user-supplied data within FactoryTalk® DataMosaix™ Private Cloud environments to prevent injection of malicious scripts. 3) Deploy web application firewalls (WAFs) with robust XSS detection and blocking capabilities tailored to industrial control system traffic patterns. 4) Conduct regular security awareness training for users to recognize and avoid phishing attempts and suspicious links that could trigger XSS payloads. 5) Restrict access to the DataMosaix™ Private Cloud interface to trusted networks and users using network segmentation and strong authentication mechanisms. 6) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the system. 7) Continuously monitor logs and network traffic for indicators of compromise or anomalous behavior related to XSS exploitation attempts.