Executive Summary
CVE-2025-36539 is one of three vulnerabilities affecting Rockwell Automation FactoryTalk Historian Site Edition version 11.00 and earlier, the others being CVE-2025-13036 and CVE-2025-44019. Successful exploitation allows an attacker to obtain a valid authentication token, force a denial of service, or crash the historian service, directly threatening the integrity and availability of the process data layer that operators and engineers depend on for situational awareness.
Technical Exposure Breakdown
FactoryTalk Historian SE is the time series data engine sitting between control system tags and the plant analytics layer. It aggregates high resolution process values from PLCs and SCADA gateways and serves them to dashboards, trend tools, and reporting systems. It is not a controller, but it is a trust anchor: downstream decisions are made on the data it stores and serves.
The combined effect of this vulnerability cluster matters more than any single CVE in isolation. CVE-2025-36539 carries a CVSS of 6.5, and the vendor equipment scoring reaches 7.7 across the set. The token acquisition path is the most consequential. If an attacker can obtain a valid authentication token, they inherit the privileges associated with that session and can interact with historian services as a legitimate client. That is not a crash, that is impersonation. The denial of service and crash conditions in the other two CVEs then provide a complementary objective: an adversary who cannot fully manipulate data can still blind the operations team by taking the historian offline.
The realistic attack conditions require network reachability to the historian service. In flat or poorly segmented OT networks, that reachability is frequently present from engineering workstations, jump hosts, and shared IT/OT data brokers. The historian is also one of the few OT components that is intentionally bridged to enterprise systems for reporting, which expands the exposed surface beyond the process network.
OT Impact and Compliance Risk
The physical consequence is indirect but real. A historian crash or token compromise does not move an actuator, but it degrades the data operators use to detect abnormal process behavior. An attacker who can both crash the historian and manipulate or withhold trend data creates a window where dangerous process drift goes unobserved. In a chemical, water, or power environment, loss of historian fidelity during an active disturbance is an operational safety concern, not just an IT inconvenience.
For NERC CIP environments, a historian inside the Electronic Security Perimeter falls under CIP-007 system security management and CIP-005 boundary protection obligations, and an exploitable token theft path is a defensible finding. Under IEC 62443, this maps to identification and authentication control failures under SR 1.x and availability degradation under SR 7.x. Water utilities operating under AWIA 2018 risk and resilience assessments should treat historian availability as part of the monitoring capability they are required to evaluate. Pipeline operators under TSA SD-02C should account for the historian in their architecture and access control documentation, since it commonly straddles the IT/OT boundary they are required to control.
Compensating Controls
Do not assume a maintenance window for patching exists. Historian upgrades on SE 11.00 often require coordinated downtime that operations will resist. Treat the following as the interim posture.
- Restrict network reachability to the historian service to an explicit allowlist of engineering workstations and known client systems. Enforce this at the firewall or switch ACL level, not at the host.
- Terminate the IT to OT reporting bridge through a unidirectional gateway or a data diode where feasible, so enterprise consumers pull from a replicated copy and cannot reach the live service.
- Deploy a virtual patch at the network layer. A Suricata rule concept here is to alert on anomalous authentication token requests against the historian listener and on repeated malformed session establishment attempts consistent with the DoS condition. Tune thresholds to the baseline client population so a single compromised host generating excess session activity is surfaced.
- Do not active scan the historian or its upstream segment to validate exposure. Active scanning against industrial components can crash fragile services and trigger the exact denial of service this advisory describes. Use passive traffic analysis and asset inventory data instead.
- Rotate any service accounts and review token lifetimes, shortening session validity to reduce the value of a stolen token.
BreachSpider Intel
BreachSpider tracks exploitation signals and exposure changes across Rockwell FactoryTalk and the broader OT historian footprint, so operators can monitor this vulnerability cluster without active scanning their own process network.