CISA flags three Rockwell FactoryTalk Historian Site Edition CVEs
Authentication, availability, and data-loss failures in one OT historian turn ordinary maintenance debt into plant-floor exposure.
TL;DR
CISA published ICSA-26-169-03 for Rockwell Automation FactoryTalk Historian Site Edition: CVE-2025-13036 affects version 11, while CVE-2025-44019 and CVE-2025-36539 affect 11.00 and earlier. Defense-industrial-base contractors and assessors covering critical manufacturing environments need Rockwell SD1773, BF32850 where applicable, and PI service controls. CISA reports no known public exploitation; that buys scheduling room and still leaves version-specific patch work.
CISA's Rockwell advisory matters even with no known public exploitation reported. FactoryTalk Historian Site Edition sits in critical manufacturing environments, including production systems defense-industrial-base contractors have to keep auditable and available. The advisory bundles three different failure modes in the same product family: a login endpoint issue that can yield a valid authentication token without credentials, and two AVEVA PI Data Archive uncaught-exception conditions that can shut down necessary subsystems. One denial-of-service path can also lose data from snapshots or write cache, depending on crash timing. CVSS is only the triage label. The harder signal is the spread: authentication, availability, and data retention are all in the same maintenance queue.
Version mapping is the first control. CVE-2025-13036 is listed for FactoryTalk Historian SE 11 and carries a CVSS v4 9.2 score; Rockwell points customers who cannot upgrade to corrected versions to BF32850 and Security Advisory SD1773. CVE-2025-44019 and CVE-2025-36539 cover FactoryTalk Historian SE 11.00 and earlier, with CVSS v4 7.1 scores and authenticated access requirements. The advisory text leaves the ugly operational question open: which older installations get corrected versions on what timeline, and whether the three CVEs clear in one maintenance window or several.
For practitioners, this starts with asset inventory and exposure reduction. Find every Historian SE deployment at 11 or below, check the PI Data Archive services, follow SD1773 and apply BF32850 where Rockwell says it fits, monitor the PI Network Manager and PI Archive Subsystem services, set those services to restart automatically, and restrict port 5450 to trusted workstations and software. CISA's standard control-system guidance still matters: keep these devices off the internet, isolate control networks from business networks, and run impact analysis before pushing changes into production. For assessors, a ticket marked reviewed is weak evidence. Ask for the version map, the Rockwell advisory mapping, and the compensating controls.
Published ·Deep Fathom