Executive Summary

CVE-2025-13036, alongside CVE-2025-44019 and CVE-2025-36539, allows an attacker positioned with network access to FactoryTalk Historian Site Edition 11 to obtain a valid authentication token or force a denial of service that crashes the historian service. The physical criticality is indirect but real: the historian is the system of record for process data, and losing it blinds operators, breaks regulatory data retention, and corrupts the trend data engineers use to make safety and production decisions.

Technical Exposure Breakdown

FactoryTalk Historian SE is the on-premise time-series store built on the OSIsoft PI architecture and integrated into Rockwell's FactoryTalk services stack. The affected versions are FactoryTalk Historian SE 11 for CVE-2025-13036, and SE 11.00 and earlier for CVE-2025-44019 and CVE-2025-36539. The vendor assigned a CVSS v3 base of 7.7 to the equipment vulnerability set.

The core issue is the authentication token handling within the FactoryTalk services that broker access to the historian. A token obtained improperly grants an attacker a legitimate session against the data archive without going through normal credential validation. In practice this means an attacker who can reach the historian endpoints over the network can authenticate as a trusted client and either read archived process values or interact with the service in ways the access model assumed were privileged.

The denial of service and crash conditions are the more immediately dangerous outcomes in an operating plant. A malformed request or token sequence that crashes the historian service does not require the attacker to maintain a session. It is a single-shot disruption. The attack vector is network adjacent: the adversary needs routable access to the FactoryTalk Historian server, typically resident in the supervisory or Level 3 site operations zone under the Purdue model. This is not internet-facing in a correctly segmented environment, which sharply changes the practical risk calculus compared to an IT assumption of broad exposure.

OT Impact and Compliance Risk

The historian does not directly command field devices, so this is not a process safety actuation risk in the way a PLC firmware flaw would be. The damage is to observability and data integrity. If the historian crashes, operators lose live and historical trending, alarm context degrades, and post-event forensic reconstruction becomes impossible for the outage window. For continuous processes, the loss of trend visibility during an upset can extend recovery time and force conservative manual operation.

The token theft path is a data integrity and confidentiality problem. Stolen or fabricated process history undermines the trust that engineering and regulatory reporting place in the archive. Under NERC CIP, the historian frequently supports CIP-007 event monitoring and CIP-008 incident analysis, so a service that can be crashed or impersonated weakens evidence custody. Under IEC 62443-3-3, this maps cleanly to SR 1.1 and SR 1.2 identification and authentication enforcement failures, and to SR 7.1 and SR 7.2 denial of service resistance. Pipeline operators bound by TSA SD-02C should treat the historian as a critical cyber system whose availability and access control are in scope for the required architecture and monitoring measures. Water utilities operating under AWIA 2018 assessments should account for the historian as part of their SCADA dependency mapping.

Compensating Controls

Do not rush an active scan of the historian server to confirm version. Active scanning of FactoryTalk services has a history of inducing the exact crash conditions these CVEs describe, so confirm versions from installed software inventory and FactoryTalk Administration Console rather than probing the live service.

Schedule the vendor remediation for the next planned maintenance window, but treat the network controls above as the immediate mitigation given that patching a production historian carries its own outage risk.

BreachSpider Intel

BreachSpider tracks exploitation signals and exposure changes across the Rockwell FactoryTalk stack and the broader catalog of 25,000+ ICS CVEs so OT teams can prioritize before a flaw reaches the known exploited vulnerability catalog.