CISA Warns of Stored XSS Flaw in Rockwell Automation FactoryTalk DataMosaix
CISA issued advisory ICSA-26-197-09 for a stored cross-site scripting vulnerability in Rockwell Automation FactoryTalk DataMosaix Private Cloud versions 8.02 and earlier, allowing privileged authenticated users to inject malicious scripts.
Intelligence analysis by Llama
A medium-severity stored XSS bug in Rockwell's FactoryTalk DataMosaix Private Cloud lets a high-privilege authenticated user inject persistent JavaScript via Workflows configuration, opening paths to account takeover and credential theft. Rockwell has issued a fix in version 8.03.
Imagine a digital notebook that lots of factory workers use. A bug in the notebook app lets someone who already has a key write sneaky instructions that hide on the page forever. When other workers open the page, the sneaky instructions run in their browser, kind of like a magic trick that can steal their password. Rockwell fixed it in a newer version, and CISA is reminding everyone to update so the trick stops working.
Analysis
A Privilege-Gated But Persistent Threat
CISA's advisory ICSA-26-197-09 describes a stored cross-site scripting vulnerability, tracked as CVE-2026-9292, affecting Rockwell Automation FactoryTalk DataMosaix Private Cloud version 8.02 and earlier. The flaw lives in the Workflows configuration component and stems from improper neutralization of user-supplied input, the textbook definition of CWE-79. Because the malicious payload is permanently stored on the server rather than reflected in a single request, every subsequent visit to the affected page triggers the attacker-controlled JavaScript. CISA notes that exploitation requires an authenticated user with high privileges, which narrows the attacker pool but does not eliminate the risk inside environments where admin accounts are shared, weakly governed, or compromised through separate attack chains.
From Workflows to Account Takeover
The advisory spells out the realistic blast radius in unusually direct language for a CISA bulletin: account takeover, credential theft, or redirection to a malicious website. Each of those outcomes can be weaponized through ordinary browser-side execution, meaning the attacker does not need a separate foothold on the host. A single poisoned workflow definition could turn into a watering hole for any operator or engineer who later reviews it. CVSS scores capture the tension here. The CVSS 3.1 base score lands at 6.1 (Medium), reflecting the privilege requirement, while the newer CVSS 4.0 base score climbs to 8.4 (High) because the newer framework's vector string credits the attack's reach and impact more generously. The diverging scores are themselves a useful signal: defenders who still triage primarily on 3.1 may underestimate the real exposure.
Patching Path and Defensive Posture
Rockwell Automation's fix is straightforward on paper: upgrade DataMosaix Private Cloud to version 8.03 or later, as documented in vendor advisory SD1787. For organizations unable to patch immediately, CISA restates Rockwell's general security best practices and reiterates its standing guidance to keep control system networks behind firewalls, off the public internet, and behind VPNs when remote access is unavoidable. CISA also explicitly states that no known public exploitation of this specific vulnerability has been reported at the time of publication, a small but meaningful reassurance for security teams weighing patch urgency against change windows in manufacturing environments. The advisory's practical takeaway is that this is a low-friction fix with a high payoff: a version bump that closes a stored XSS chain before it can be chained into something more damaging.
Key points
- CVE-2026-9292 is a stored cross-site scripting flaw in Rockwell Automation FactoryTalk DataMosaix Private Cloud versions 8.02 and earlier
- An authenticated attacker with high privileges can inject persistent malicious JavaScript via the Workflows configuration
- Successful exploitation can enable account takeover, credential theft, or redirection to malicious sites
- CVSS 3.1 scores the issue 6.1 (Medium); CVSS 4.0 scores it 8.4 (High), reflecting different impact modeling
- Rockwell has fixed the bug in DataMosaix Private Cloud version 8.03 or later, per vendor advisory SD1787
- CISA reports no known public exploitation targeting this specific vulnerability as of the advisory's release on July 16, 2026
If operators upgrade to DataMosaix Private Cloud 8.03 or later promptly, the attack surface closes cleanly with a version bump and no known exploitation has been observed, giving defenders a comfortable window to patch without active threat pressure. Following CISA's broader ICS hygiene guidance alongside the upgrade also hardens the surrounding environment against similar input-handling bugs in adjacent tools.
Because exploitation requires a high-privilege authenticated user, the real danger is that the flaw becomes a second-stage payload in a longer intrusion where credentials are already compromised, turning a single workflow definition into persistent lateral movement. Industrial environments with extended patch cycles tied to production schedules risk running the vulnerable version long enough for a proof-of-concept to mature, especially given the higher CVSS 4.0 score.



