Critical Authentication Bypass and DoS Flaws in Rockwell Automation FactoryTalk Historian SE (CVE‑2025‑13036, CVE‑2025‑44019, CVE‑2025‑36539)
What It Is — Three high‑severity vulnerabilities in Rockwell Automation’s FactoryTalk Historian Site Edition allow an attacker to repeatedly query the login endpoint to obtain a valid authentication token, trigger denial‑of‑service conditions, or crash the application.
Exploitability — Publicly disclosed; proof‑of‑concept requests have been demonstrated. CVSS v3 base score 7.7 (High). No known active exploit‑as‑a‑service, but the attack surface is reachable from network‑connected environments.
Affected Products — Rockwell Automation FactoryTalk Historian Site Edition version 11 and any version ≤ 11.00 (CVE‑2025‑13036, CVE‑2025‑44019, CVE‑2025‑36539).
Why It Matters for Compliance & Audit Readiness
- SOC 2’s Security principle requires documented controls over authentication and system availability; these flaws expose gaps that auditors will probe.
- Continuous control monitoring can surface unpatched vulnerabilities before they become audit findings, providing evidence of due‑diligence.
- Demonstrating a formal remediation workflow (patch management, configuration hardening) satisfies the Change Management and Risk Management criteria of the Trust Services Criteria.
Recommended Actions
- Apply Rockwell’s latest patches for the three CVEs immediately.
- Verify that multi‑factor authentication is enforced for all remote access to Historian SE.
- Update your control mapping to include “Authentication Token Validation” and “ICS Service Availability” controls, and capture patch‑install evidence in your compliance repository.
- Conduct a targeted penetration test on the Historian SE environment to confirm remediation.
Source: CISA Advisory – ICSA‑26‑169‑03