CVE-2025-11085 is a persistent cross-site scripting (XSS) vulnerability identified in Rockwell Automation's FactoryTalk® DataMosaix™ Private Cloud software versions 7.11 and 8.00. The root cause is improper encoding or escaping of output data, classified under CWE-116, which allows attackers to inject malicious JavaScript code that persists in the application. When an authenticated user accesses the compromised interface, the malicious script executes in their browser context, enabling attackers to perform actions such as account takeover, credential theft, or redirecting users to malicious websites. The vulnerability is remotely exploitable without requiring authentication, though it does require user interaction (e.g., clicking a crafted link or visiting a malicious page). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and user interaction required (UI:P), with high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). Despite no known exploits in the wild at the time of publication, the vulnerability poses a significant risk to industrial control systems and cloud environments managed by FactoryTalk® DataMosaix™. The lack of available patches at the time of reporting necessitates immediate mitigation strategies to reduce exposure. The vulnerability's persistence means injected scripts remain active across sessions, increasing the risk of prolonged compromise. This flaw could be leveraged by threat actors to gain unauthorized access to sensitive operational data or disrupt industrial processes.

For European organizations, particularly those in manufacturing, energy, and critical infrastructure sectors relying on Rockwell Automation's FactoryTalk® DataMosaix™ Private Cloud, this vulnerability poses a serious threat. Exploitation could lead to unauthorized access to operational data, manipulation of industrial processes, and potential disruption of services. Credential theft and account takeover could facilitate further lateral movement within networks, increasing the risk of espionage or sabotage. The persistent nature of the XSS means that once exploited, malicious scripts could continuously compromise user sessions, leading to prolonged data exfiltration or system manipulation. Given the integration of FactoryTalk® products in industrial control systems, the impact extends beyond IT to operational technology (OT), potentially affecting production lines and safety systems. This could result in financial losses, regulatory penalties under GDPR for data breaches, and damage to organizational reputation. The high CVSS score reflects the severity and ease of exploitation, underscoring the urgency for European entities to address this vulnerability promptly.

1. Apply official patches from Rockwell Automation immediately once they become available to remediate the vulnerability at the source. 2. Until patches are released, implement strict input validation and output encoding on all user-supplied data within FactoryTalk® DataMosaix™ interfaces to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 4. Conduct regular security audits and penetration testing focused on web application security to detect similar vulnerabilities early. 5. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the FactoryTalk® environment. 6. Monitor logs and network traffic for unusual activities indicative of exploitation attempts, such as unexpected script execution or anomalous authentication patterns. 7. Segment the network to isolate FactoryTalk® DataMosaix™ systems from general IT networks, limiting potential lateral movement. 8. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting FactoryTalk® applications. 9. Collaborate with Rockwell Automation support for guidance and to stay informed about updates or advisories related to this vulnerability.