Rockwell Automation FactoryTalk DataMosaix Vulnerable to Stored Cross-Site Scripting
CISA has issued an advisory for a Stored Cross-Site Scripting vulnerability in Rockwell Automation's FactoryTalk DataMosaix Private Cloud, potentially leading to account takeover and credential theft.

Rockwell Automation's FactoryTalk DataMosaix Private Cloud software, specifically versions prior to 8.03, contains a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-9292. This flaw allows an authenticated attacker with high-level privileges to inject malicious scripts into the Workflows configuration.
The vulnerability arises from the improper neutralization of user-supplied input within the Workflows configuration interface. When an attacker successfully injects a script, it becomes permanently stored on the server. The danger materializes when other users access the affected page, triggering the execution of the malicious JavaScript within their browser context.
Successful exploitation of this vulnerability could have severe consequences, including account takeover, the theft of user credentials, or the redirection of unsuspecting users to malicious websites. The impact is amplified by the potential for attackers to gain persistent access or execute further malicious actions within the compromised environment.
The affected product is Rockwell Automation DataMosaix Private Cloud, with versions up to and including 8.02 being vulnerable. The Common Vulnerability Scoring System (CVSS) v3.1 base score for this vulnerability is 6.1 (MEDIUM), with a CVSS v4.0 score of 8.4 (HIGH). The vector strings indicate network accessibility, low attack complexity, high privileges required, user interaction needed for exploitation, and a significant impact on confidentiality and integrity.
Rockwell Automation has released a fix, recommending that users upgrade to DataMosaix Private Cloud versions 8.03 or later. For organizations unable to immediately upgrade, Rockwell Automation suggests implementing their security best practices and refers users to Security Advisory SD1787 for further mitigation guidance. These recommendations often include network segmentation, access control, and regular security audits.
CISA emphasizes that while no public exploitation has been reported at this time, organizations should implement defensive measures to minimize risk. These include minimizing network exposure for control system devices, isolating them behind firewalls, and using secure remote access methods like VPNs. A defense-in-depth strategy is crucial for protecting industrial control systems.
The vulnerability falls under CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), a common but dangerous class of web security flaws. The widespread deployment of Rockwell Automation products across critical manufacturing and IT sectors globally underscores the importance of addressing this vulnerability promptly to prevent potential disruptions.