CVE-2025-9161
published 2025-09-09CVE-2025-9161: A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.52%
40.2th percentile
A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | factorytalk_optix | — | — |
| rockwellautomation | factorytalk_optix | >= 1.5.0 < 1.6.0 | 1.6.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting FactoryTalk Optix MQTT broker by monitoring for unsanitized/remote URIs supplied to the Mosquitto plugin loading mechanism, which could indicate an attempt to load a remote plugin for RCE. ↗
- →Monitor FactoryTalk Optix deployments running versions 1.5.0 through 1.5.7 for anomalous MQTT broker activity, especially outbound connections initiated by the broker process to remote hosts (indicative of remote plugin loading). ↗
- →Flag network traffic from FactoryTalk Optix MQTT broker processes to external/internet-facing hosts, as exploitation requires the broker to fetch a remote Mosquitto plugin over the network. ↗
- ·Exploitation requires high attack complexity, network access, low privileges, and user interaction — not a trivially exploitable vulnerability. ↗
- ·No known public exploitation has been reported at time of advisory publication; threat hunting should be prioritized over emergency response. ↗
- ·The vulnerability is specific to the MQTT broker component (Mosquitto plugin loading) within FactoryTalk Optix; detection should be scoped to that process/service rather than the broader application. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation FactoryTalk Optix
cisa_ics·2025-09-09·CVSS 8.8
[HIGH] Rockwell Automation FactoryTalk Optix
ICS Advisory
##
Rockwell Automation FactoryTalk Optix
Release DateSeptember 09, 2025
Alert CodeICSA-25-252-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 7.3
- ATTENTION: Exploitable remotely
- Vendor: Rockwell Automation
- Equipment: FactoryTalk Optix
- Vulnerability: Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could result in an attacker achieving remote code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following version of FactoryTalk Optix, a scalable, cloud-enabled visualization platform, is affected:
- FactoryTalk Optix: Versions 1.5.0 through 1.5.7
## 3.2 VULNERABILITY OVERVIEW
## 3.2.1 I
GHSA
GHSA-h66j-7h34-g83p: A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization
ghsa_unreviewed·2025-09-09
CVE-2025-9161 [HIGH] CWE-77 GHSA-h66j-7h34-g83p: A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization
A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-09
Published