Summary
Successful exploitation of these vulnerabilities could allow an attacker to obtain a valid authentication token, perform a denial of service, or crash the system.
The following versions of Rockwell Automation FactoryTalk Historian Site Edition are affected:
- FactoryTalk Historian SE 11 (CVE-2025-13036)
- FactoryTalk Historian SE <=11.00 (CVE-2025-44019)
- FactoryTalk Historian SE <=11.00 (CVE-2025-36539)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.7 | Rockwell Automation | Rockwell Automation FactoryTalk Historian Site Edition | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’), Uncaught Exception |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2025-13036
An authentication bypass security issue exists within FactoryTalk Historian Site Edition. By continually sending requests to the login endpoint, an attacker may obtain a valid authentication token.
Affected Products
Rockwell Automation FactoryTalk Historian Site Edition
Rockwell Automation
Rockwell Automation FactoryTalk Historian SE: 11
known_affected
Remediations
Mitigation
Rockwell Automation recommends the following: Mitigations and Workarounds for CVE-2025-13036: Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices and consider applying the available patch (BF32850) for their current version (https://support.rockwellautomation.com/app/answers/answer_view/a_id/1157978/loc/en_US).
https://support.rockwellautomation.com/app/answers/answer_view/a_id/1157978/loc/en_US
Mitigation
For more information, see Rockwell Automation Security Advisory SD1773 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1773.html)
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1773.html
Relevant CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L |
| 4.0 | 9.2 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
CVE-2025-44019
AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost.
Affected Products
Rockwell Autom
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: