CVE-2025-9161

HighRCE

Published: 09 September 2025

Published

09 September 2025

Modified

20 October 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9161 is a high-severity Command Injection (CWE-77) vulnerability in Rockwellautomation Factorytalk Optix. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of URI inputs to the MQTT broker, mitigating the lack of URI sanitization that allows loading of remote malicious Mosquito plugins.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws like this URI sanitization vulnerability through timely patching per vendor advisory SD-1742.

SC-18 Mobile Code good match

preventdetect

Establishes restrictions, authorization, and detection for mobile code technologies, directly applicable to preventing and identifying unauthorized remote Mosquito plugin loading.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct RCE via insufficient URI sanitization in network-accessible MQTT broker enables initial access through public-facing application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.

Deeper analysisAI

CVE-2025-9161 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) in the FactoryTalk Optix MQTT broker from Rockwell Automation, stemming from insufficient URI sanitization (CWE-77). This flaw allows attackers to load remote Mosquito plugins, enabling remote code execution on the affected system. The issue was publicly disclosed on September 9, 2025.

An attacker with low-privilege network access (PR:L) can exploit this vulnerability without user interaction over the network (AV:N) with low complexity (AC:L). Successful exploitation grants high-impact control over confidentiality, integrity, and availability (C:H/I:H/A:H), allowing arbitrary code execution within the context of the MQTT broker process.

Mitigation details and patches are outlined in Rockwell Automation's security advisory SD-1742, available at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1742.html. Security practitioners should review this advisory for version-specific fixes and workarounds.