Cyber Resilience

CVE-2025-9161

HighRCE

Published: 09 September 2025

Published
09 September 2025
Modified
20 October 2025
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 39.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9161 is a high-severity Command Injection (CWE-77) vulnerability in Rockwellautomation Factorytalk Optix. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-9161 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) in the FactoryTalk Optix MQTT broker from Rockwell Automation, stemming from insufficient URI sanitization (CWE-77). This flaw allows attackers to load remote Mosquito plugins, enabling remote code execution on the affected system. The issue was publicly disclosed on September 9, 2025.

An attacker with low-privilege network access (PR:L) can exploit this vulnerability without user interaction over the network (AV:N) with low complexity (AC:L). Successful exploitation grants high-impact control over confidentiality, integrity, and availability (C:H/I:H/A:H), allowing arbitrary code execution within the context of the MQTT broker process.

Mitigation details and patches are outlined in Rockwell Automation's security advisory SD-1742, available at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1742.html. Security practitioners should review this advisory for version-specific fixes and workarounds.

EU & UK References

Vulnerability details

A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via insufficient URI sanitization in network-accessible MQTT broker enables initial access through public-facing application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7972Same vendor: Rockwellautomation
CVE-2025-34267Shared CWE-77
CVE-2024-34166Shared CWE-77
CVE-2026-30461Shared CWE-77
CVE-2025-64093Shared CWE-77
CVE-2024-54660Shared CWE-77
CVE-2026-26093Shared CWE-77
CVE-2026-30352Shared CWE-77
CVE-2025-55637Shared CWE-77
CVE-2026-44854Shared CWE-77

Affected Assets

rockwellautomation
factorytalk optix
1.5.0 — 1.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of URI inputs to the MQTT broker, mitigating the lack of URI sanitization that allows loading of remote malicious Mosquito plugins.

prevent

Mandates identification, reporting, and correction of flaws like this URI sanitization vulnerability through timely patching per vendor advisory SD-1742.

preventdetect

Establishes restrictions, authorization, and detection for mobile code technologies, directly applicable to preventing and identifying unauthorized remote Mosquito plugin loading.

References