cbcvebase.
CVE-2025-9161
published 2025-09-09

CVE-2025-9161: A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins…

PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.52%
40.2th percentile
A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
rockwell_automationfactorytalk_optix
rockwellautomationfactorytalk_optix>= 1.5.0 < 1.6.01.6.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts targeting FactoryTalk Optix MQTT broker by monitoring for unsanitized/remote URIs supplied to the Mosquitto plugin loading mechanism, which could indicate an attempt to load a remote plugin for RCE.
  • Monitor FactoryTalk Optix deployments running versions 1.5.0 through 1.5.7 for anomalous MQTT broker activity, especially outbound connections initiated by the broker process to remote hosts (indicative of remote plugin loading).
  • Flag network traffic from FactoryTalk Optix MQTT broker processes to external/internet-facing hosts, as exploitation requires the broker to fetch a remote Mosquitto plugin over the network.
  • ·Exploitation requires high attack complexity, network access, low privileges, and user interaction — not a trivially exploitable vulnerability.
  • ·No known public exploitation has been reported at time of advisory publication; threat hunting should be prioritized over emergency response.
  • ·The vulnerability is specific to the MQTT broker component (Mosquitto plugin loading) within FactoryTalk Optix; detection should be scoped to that process/service rather than the broader application.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.