Critical Vulnerabilities in Rockwell Automation's FactoryTalk Historian SE Threaten Industrial Control Systems
Executive Summary
In June 2026, Rockwell Automation disclosed multiple vulnerabilities in its FactoryTalk Historian Site Edition (SE) software, specifically affecting versions up to 11.00. The most critical, CVE-2025-13036, is an authentication bypass issue where an attacker can obtain a valid authentication token by repeatedly sending requests to the login endpoint. Additionally, CVE-2025-44019 and CVE-2025-36539 involve uncaught exceptions that could allow authenticated users to crash essential subsystems, leading to denial of service and potential data loss. These vulnerabilities pose significant risks to industrial control systems relying on this software. (rockwellautomation.com)
The disclosure underscores the ongoing challenges in securing industrial control systems, highlighting the necessity for continuous monitoring and timely patching. Organizations must remain vigilant, as such vulnerabilities can be exploited to disrupt critical manufacturing operations, emphasizing the importance of robust cybersecurity practices in industrial environments.
Why This Matters Now
The recent disclosure of these vulnerabilities in Rockwell Automation's FactoryTalk Historian SE highlights the critical need for immediate attention to industrial control system security. Exploitation of these flaws could lead to unauthorized access and operational disruptions, posing significant risks to critical manufacturing processes. Organizations must prioritize patching and implementing robust security measures to mitigate these threats.
Attack Path Analysis
An attacker exploited a race condition in the login endpoint of FactoryTalk Historian SE to bypass authentication and gain unauthorized access. With this access, the attacker escalated privileges by exploiting misconfigured permissions, allowing them to execute code with elevated rights. The attacker then moved laterally within the network, accessing other critical systems. They established a command and control channel to maintain persistent access and control over the compromised systems. Sensitive data was exfiltrated through the established channel. Finally, the attacker executed a denial of service attack by exploiting uncaught exceptions, causing system crashes and data loss.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited a race condition in the login endpoint of FactoryTalk Historian SE to bypass authentication and gain unauthorized access.
Related CVEs
CVE-2025-13036
CVSS 9.2An authentication bypass vulnerability in FactoryTalk Historian Site Edition allows an attacker to obtain a valid authentication token by repeatedly sending requests to the login endpoint.
Affected Products:
Rockwell Automation FactoryTalk Historian Site Edition – 11
Exploit Status:
no public exploitCVE-2025-44019
CVSS 7.1An uncaught exception vulnerability in AVEVA PI Data Archive products could allow an authenticated user to shut down certain necessary subsystems, resulting in a denial of service and potential data loss.
Affected Products:
Rockwell Automation FactoryTalk Historian Site Edition – <=11.00
Exploit Status:
no public exploitCVE-2025-36539
CVSS 6.5An uncaught exception vulnerability in AVEVA PI Data Archive products could allow an authenticated user to shut down certain necessary subsystems, resulting in a denial of service.
Affected Products:
Rockwell Automation FactoryTalk Historian Site Edition – <=11.00
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Endpoint Denial of Service
Network Denial of Service
Resource Hijacking
Firmware Corruption
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical manufacturing systems using Rockwell FactoryTalk Historian face authentication bypass and denial-of-service attacks, potentially disrupting production operations and causing data loss.
Utilities
Power generation and distribution infrastructure utilizing industrial control systems vulnerable to historian data manipulation and operational technology network compromise affecting grid stability.
Oil/Energy/Solar/Greentech
Energy sector operations dependent on SCADA and historian systems susceptible to race condition exploits enabling unauthorized access to critical process data and control systems.
Automotive
Manufacturing facilities using industrial historian platforms for production monitoring at risk of authentication token theft and system crashes disrupting assembly line operations.
Sources
- Rockwell Automation FactoryTalk Historian Site Editionhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-169-03Verified
- FactoryTalk Historian Site Edition - Multiple Vulnerabilitieshttps://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1773.htmlVerified
- Patch: Race condition leading to authentication bypass, FactoryTalk historian SE 11.0https://support.rockwellautomation.com/app/answers/answer_view/a_id/1157978/loc/en_USVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial access may still occur, the attacker's ability to exploit misconfigured permissions could be constrained, reducing the likelihood of privilege escalation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the risk of accessing other critical systems.
Control: East-West Traffic Security
Mitigation: Establishing a command and control channel may be hindered, reducing the attacker's ability to maintain persistent access.
Control: Multicloud Visibility & Control
Mitigation: Exfiltration of sensitive data could be limited, reducing the risk of data loss.
Control: Egress Security & Policy Enforcement
Mitigation: The impact of denial of service attacks may be reduced, limiting system crashes and data loss.
The attacker's ability to cause widespread system crashes and data loss would likely be constrained, reducing the overall impact on critical systems.
Impact at a Glance
Affected Business Functions
- Data Collection
- Data Analysis
- System Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Potential loss of process data snapshots and write cache due to system crashes.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unauthorized access and privilege escalation activities.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Apply Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalous behaviors across cloud environments.
