Rockwell Automation has issued an urgent patch for a stored cross-site scripting flaw in FactoryTalk DataMosaix Private Cloud that could let an attacker with high privileges inject malicious scripts into the platform’s Workflow configuration. Once stored, the code executes in the browsers of other users who view the affected content, potentially hijacking sessions, stealing credentials, or redirecting victims to harmful sites. The vulnerability, catalogued as CVE-2026-9292, affects versions 8.02 and earlier; the vendor fix is to upgrade to DataMosaix Private Cloud 8.03 or later, according to a CISA advisory published July 16.

A stored XSS in FactoryTalk DataMosaix’s Workflow configuration

The heart of the issue sits in the Workflows configuration area of FactoryTalk DataMosaix Private Cloud. The software fails to properly neutralize user-supplied input when generating web pages (CWE-79), making it possible for an authenticated attacker with high privileges to plant malicious JavaScript that persists on the server. Later, when another user opens the page where the script is stored, it runs in that user’s browser with the same access rights as the victim. Rockwell’s advisory explicitly warns that consequences can include account takeover, credential theft, and redirection to an attacker-controlled website.

The exploit path demands two things: an account that can edit Workflows, and the attacker’s ability to log in with that account. There is no unauthenticated remote vector here, and the vulnerability does not directly compromise industrial control devices or OT networks. But the stored nature of the payload means that once it is placed, it lies dormant until triggered by unsuspecting colleagues — including administrators with broader system access.

Who needs to patch?

Any organization running FactoryTalk DataMosaix Private Cloud version 8.02 or earlier must move to the corrected release, 8.03 or later. The product is deployed worldwide across critical manufacturing and information technology sectors, so the potential footprint is significant. Rockwell reported the issue to CISA, and both the vendor and the agency stress that upgrading is the only complete remediation.

For teams that cannot apply the patch immediately, Rockwell offers generic security best practices as a temporary mitigation, such as minimizing network exposure and enforcing strict access controls. CISA’s advisory also reminds asset owners to isolate industrial systems from the internet and use VPNs for remote access, though it notes that VPNs themselves must be kept up to date. These measures reduce attack surface but do not eliminate the vulnerability — only the upgrade removes the XSS condition.

How serious is this? Decoding the CVSS scores

The dual CVSS scores assigned to CVE-2026-9292 can cause confusion. Under CVSS v3.1, the flaw earns a 6.1 (Medium), with a vector of AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N. Under CVSS v4.0, however, the base score jumps to 8.4 (High), reflecting the newer framework’s heavier weighting of confidentiality and integrity impacts even when privileges are required. The v4.0 vector is AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N.

Operationally, both scores deliver the same message: a network-accessible vulnerability that, while requiring high privileges and user interaction, can result in severe consequences for those who interact with the trapped content. A session hijacked from an administrator or an engineer with wide-ranging permissions can be a powerful stepping stone. That’s why, despite the “Medium” tag in v3.1, this should be treated as a high-priority patching item.

The disclosure timeline

  • Rockwell Automation identified the vulnerability and reported it to CISA.
  • On July 16, 2026, CISA published advisory ICSA-26-197-09, which republishes Rockwell’s own notification (SD1787).
  • The advisory explicitly states that, as of publication, “no known public exploitation specifically targeting this vulnerability has been reported to CISA.”
  • The corrected version, DataMosaix Private Cloud 8.03, is available from Rockwell.

Because the public disclosure is the first many organizations will learn of the flaw, any window for comfortable upgrade planning is likely short. The absence of in-the-wild exploitation is reassuring, but it should not stall patch deployment. Once a vulnerability is announced, attackers frequently reverse-engineer the details to build exploits.

Steps to secure your deployment

Patch management for operational technology-adjacent software can be complex, but the remediation here is straightforward if you follow a clear process. Below is a practical workflow that covers detection, upgrade, access hygiene, and validation.

  1. Identify affected instances. Every FactoryTalk DataMosaix Private Cloud deployment should be inventoried. Determine which ones are running version 8.02 or earlier and document them. Assign an owner for each instance who will drive the upgrade.
  2. Plan and schedule the upgrade. Obtain the necessary change approvals, coordinate with any dependent systems, and set a maintenance window. The goal is to move every instance to version 8.03 or later. If your organization uses a phased rollout, prioritize deployments where Workflow editor privileges are widely distributed first.
  3. Review Workflow editor access while you wait. As an interim risk-reduction step, look at who can create or modify Workflow configurations. Remove unnecessary rights from users who don’t require them for daily operations. This narrows the pool of accounts that could potentially inject a malicious payload, but it is not a fix — it’s a holding measure until the patch is applied.
  4. Test the upgrade. Before deploying into production, verify that version 8.03 functions correctly in a representative test environment. Confirm that Workflow management, authentication, and integrations all behave as expected.
  5. Deploy and validate. Apply the upgrade through your normal change-management process. Afterward, check the running version through your asset-management or administration tools. Run a quick smoke test: ensure users can log in, Workflow functions work, and no unexpected errors appear. Document the outcome.
  6. Conduct a post-upgrade review (if warranted). If your team has any reason to suspect prior misuse — unusual Workflow changes, odd administrative activity — review available logs and change records against your incident response procedures. The advisory does not provide forensic indicators, so any investigation will rely on your own audit trails.

Why a high-privilege requirement doesn’t mean you’re safe

One common pitfall is to downplay a vulnerability because it requires an authenticated, high-privilege account. In practice, however, that prerequisite is often easier to satisfy than defenders hope. Credential theft, phishing, insider threats, and misconfigurations can all hand an attacker the keys they need. A stored XSS then becomes a force multiplier: a single compromised editor can seed a payload that harvests credentials from everyone who views the poisoned page — potentially including users with even higher privileges.

In industrial environments, where FactoryTalk DataMosaix bridges IT and OT data, a browser-based attack that steals administrator sessions can have outsized consequences. It may not directly manipulate a PLC, but it can grant access to sensitive process data, configuration tools, or connected systems. Treating this as a routine web application XSS ignores the trust boundaries inside an operational environment.

What to watch next

Rockwell and CISA have provided the definitive fix, and the immediate task is upgrading. However, the disclosure should also prompt a broader look at how industrial web applications handle input sanitization — especially in interfaces where privileged users create content that others consume. As OT/IT convergence deepens, flaws like CVE-2026-9292 are a reminder that browser sessions have become part of the security perimeter, even in industrial software.

Keep an eye on Rockwell’s trust center for any follow-up guidance or additional patches, and ensure your vulnerability management program treats ICS-related advisories with the same urgency as enterprise software bulletins.