CVE-2025-9161 – This vulnerability in FactoryTalk Optix MQTT br... (How to Fix)

Q: What is the severity of CVE-2025-9161?

CVE-2025-9161 has a CVSS score of 8.8 (HIGH). This vulnerability in FactoryTalk Optix MQTT broker allows remote attackers to load malicious Mosquito plugins due to insufficient URI sanitization, leading to remote code execution. It affects industrial control systems using vulnerable versions of FactoryTalk Optix software.

📋 TL;DR

This vulnerability in FactoryTalk Optix MQTT broker allows remote attackers to load malicious Mosquito plugins due to insufficient URI sanitization, leading to remote code execution. It affects industrial control systems using vulnerable versions of FactoryTalk Optix software.

💻 Affected Systems

Products:

FactoryTalk Optix

Versions: Versions prior to 1.6.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with MQTT broker functionality enabled in FactoryTalk Optix.

📦 What is this software?

Factorytalk Optix by Rockwellautomation

View all CVEs affecting Factorytalk Optix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the industrial control system, potentially disrupting operations or causing physical damage.

🟠

Likely Case

Remote code execution allowing data theft, system manipulation, or lateral movement within the industrial network.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to the MQTT broker.

🌐 Internet-Facing: HIGH - If exposed to internet, attackers can directly exploit without internal access.

🏢 Internal Only: HIGH - Even internally, any compromised device on the network could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to the MQTT broker but no authentication. Attackers need to craft malicious plugin URIs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.6.0 or later

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1742.html

Restart Required: Yes

Instructions:

1. Download FactoryTalk Optix version 1.6.0 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the system.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk Optix systems from untrusted networks and internet

Disable MQTT Broker

windows

Disable MQTT broker functionality if not required

🧯 If You Can't Patch

Implement strict network access controls to limit connections to the MQTT broker
Monitor for unusual network traffic to/from the FactoryTalk Optix system

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Optix version in application settings or control panel. Versions below 1.6.0 are vulnerable.

Check Version:

Check via FactoryTalk Optix application interface or Windows Programs and Features

Verify Fix Applied:

Verify version is 1.6.0 or higher and test MQTT broker functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Unusual MQTT connection attempts
Failed plugin loading attempts
Unexpected process execution

Network Indicators:

Unusual traffic to MQTT broker port (typically 1883)
External connections to internal MQTT broker

SIEM Query:

source_ip=external AND dest_port=1883 AND dest_ip=FactoryTalk_Optix_IP

📊 Metadata

CVE ID: CVE-2025-9161

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.07% exploit probability (20.1th percentile)

Published: September 9, 2025

Last Updated: October 20, 2025

🔗 References

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1742.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9161, you might also want to check these: