Executive Summary

CVE-2025-36539 is one of three vulnerabilities affecting Rockwell Automation FactoryTalk Historian Site Edition version 11.00 and earlier, the others being CVE-2025-13036 and CVE-2025-44019. Successful exploitation allows an attacker to obtain a valid authentication token, force a denial of service, or crash the historian service, directly threatening the integrity and availability of the process data layer that operators and engineers depend on for situational awareness.

Technical Exposure Breakdown

FactoryTalk Historian SE is the time series data engine sitting between control system tags and the plant analytics layer. It aggregates high resolution process values from PLCs and SCADA gateways and serves them to dashboards, trend tools, and reporting systems. It is not a controller, but it is a trust anchor: downstream decisions are made on the data it stores and serves.

The combined effect of this vulnerability cluster matters more than any single CVE in isolation. CVE-2025-36539 carries a CVSS of 6.5, and the vendor equipment scoring reaches 7.7 across the set. The token acquisition path is the most consequential. If an attacker can obtain a valid authentication token, they inherit the privileges associated with that session and can interact with historian services as a legitimate client. That is not a crash, that is impersonation. The denial of service and crash conditions in the other two CVEs then provide a complementary objective: an adversary who cannot fully manipulate data can still blind the operations team by taking the historian offline.

The realistic attack conditions require network reachability to the historian service. In flat or poorly segmented OT networks, that reachability is frequently present from engineering workstations, jump hosts, and shared IT/OT data brokers. The historian is also one of the few OT components that is intentionally bridged to enterprise systems for reporting, which expands the exposed surface beyond the process network.

OT Impact and Compliance Risk

The physical consequence is indirect but real. A historian crash or token compromise does not move an actuator, but it degrades the data operators use to detect abnormal process behavior. An attacker who can both crash the historian and manipulate or withhold trend data creates a window where dangerous process drift goes unobserved. In a chemical, water, or power environment, loss of historian fidelity during an active disturbance is an operational safety concern, not just an IT inconvenience.

For NERC CIP environments, a historian inside the Electronic Security Perimeter falls under CIP-007 system security management and CIP-005 boundary protection obligations, and an exploitable token theft path is a defensible finding. Under IEC 62443, this maps to identification and authentication control failures under SR 1.x and availability degradation under SR 7.x. Water utilities operating under AWIA 2018 risk and resilience assessments should treat historian availability as part of the monitoring capability they are required to evaluate. Pipeline operators under TSA SD-02C should account for the historian in their architecture and access control documentation, since it commonly straddles the IT/OT boundary they are required to control.

Compensating Controls

Do not assume a maintenance window for patching exists. Historian upgrades on SE 11.00 often require coordinated downtime that operations will resist. Treat the following as the interim posture.

BreachSpider Intel

BreachSpider tracks exploitation signals and exposure changes across Rockwell FactoryTalk and the broader OT historian footprint, so operators can monitor this vulnerability cluster without active scanning their own process network.