{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/factorytalk-datamosaix-private-cloud-8.02/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-9292"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FactoryTalk DataMosaix Private Cloud (\u003c=8.02)"],"_cs_severities":["high"],"_cs_tags":["xss","ics","ot","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["Rockwell Automation"],"content_html":"\u003cp\u003eCISA has released an advisory regarding CVE-2026-9292, a Stored Cross-Site Scripting (XSS) vulnerability impacting Rockwell Automation FactoryTalk DataMosaix Private Cloud versions up to and including 8.02. This vulnerability allows an authenticated attacker with high privileges to inject malicious JavaScript into the \u0026quot;Workflows configuration\u0026quot; within the application. Once injected, these scripts are permanently stored on the server and will execute in the browser of any user who subsequently accesses the affected page. The successful exploitation of this vulnerability could lead to significant consequences, including account takeover, credential theft from affected users, or redirection to malicious websites. The advisory indicates that critical manufacturing and information technology sectors are potentially impacted by this vulnerability, which is deployed worldwide. Rockwell Automation recommends upgrading to DataMosaix Private Cloud version 8.03 or later to remediate the issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains high-privileged authentication credentials for Rockwell Automation FactoryTalk DataMosaix Private Cloud.\u003c/li\u003e\n\u003cli\u003eThe authenticated attacker navigates to the Workflows configuration section within the application's interface.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into an input field in the Workflows configuration that is vulnerable to improper neutralization of user-supplied input.\u003c/li\u003e\n\u003cli\u003eThe application processes and permanently stores the malicious JavaScript code on the server, associating it with the Workflows configuration.\u003c/li\u003e\n\u003cli\u003eA legitimate user, while logged into the FactoryTalk DataMosaix Private Cloud, later accesses the specific application page containing the compromised Workflows configuration.\u003c/li\u003e\n\u003cli\u003eThe legitimate user's web browser renders the page, fetching the stored malicious script from the server and executing it in the context of the user's session.\u003c/li\u003e\n\u003cli\u003eThe executed malicious JavaScript performs actions such as stealing the user's session cookies, capturing login credentials, or redirecting the user's browser to an attacker-controlled phishing site, potentially leading to account takeover or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9292 can lead to severe consequences for organizations utilizing Rockwell Automation FactoryTalk DataMosaix Private Cloud. The primary impacts include account takeover of legitimate users, enabling attackers to gain unauthorized access to critical industrial control system (ICS) configurations and data. Additionally, the XSS vulnerability facilitates credential theft, potentially exposing sensitive login information. Attackers could also redirect users to malicious websites, increasing the risk of malware infection or further social engineering attacks. The affected software is used in critical manufacturing and information technology sectors globally, indicating a broad potential impact on industrial operations and data integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-9292 by upgrading Rockwell Automation FactoryTalk DataMosaix Private Cloud to version 8.03 or later.\u003c/li\u003e\n\u003cli\u003eReview and implement Rockwell Automation's security best practices outlined in their advisory (SD1787 and support article 1085012) for instances that cannot be immediately upgraded.\u003c/li\u003e\n\u003cli\u003eEnsure web application logs are configured to capture HTTP request details, including method, URI, and query parameters, to identify potential injection attempts, although specific rules are not provided due to lack of detail.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T16:12:17Z","date_published":"2026-07-16T16:12:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rockwell-factorytalk-xss/","summary":"An authenticated attacker with high privileges can exploit CVE-2026-9292, a Stored Cross-Site Scripting (XSS) vulnerability, in Rockwell Automation FactoryTalk DataMosaix Private Cloud versions 8.02 and earlier by injecting malicious scripts into the Workflows configuration, leading to execution of malicious JavaScript in other users' browsers and potential account takeover or credential theft.","title":"Rockwell Automation FactoryTalk DataMosaix Stored XSS Vulnerability (CVE-2026-9292)","url":"https://feed.craftedsignal.io/briefs/2026-07-rockwell-factorytalk-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - FactoryTalk DataMosaix Private Cloud (\u003c=8.02)","version":"https://jsonfeed.org/version/1.1"}