Rockwell Automation FactoryTalk Historian Site Edition

HIGH

CVSS 7.7

Date 2026-06-18T06:00:00+00:00

Source cisa-csaf

Published by CISA

// Description

Successful exploitation of these vulnerabilities could allow an attacker to obtain a valid authentication token, perform a denial of service, or crash the system.

// Vulnerabilities (3)

CVE ID	CVSS Score	Severity	Description
CVE-2025-44019	7.1	high	AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost.
CVE-2025-36539	6.5	medium	AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service.
CVE-2025-13036	7.7	high	An authentication bypass security issue exists within FactoryTalk Historian Site Edition. By continually sending requests to the login endpoint, an attacker may obtain a valid authentication token.

// Affected Products (2)

Vendor	Product	Asset Type	Purdue Level	Firmware
Rockwell Automation	Unknown	historian	L3	11
AVEVA	Unknown	historian	L3	2023

// Remediations (13)

Mitigation: Mitigations and Workarounds for CVE-2025-36539 & CVE-2025-44109: Customers using the affected softwa

Mitigations and Workarounds for CVE-2025-36539 & CVE-2025-44109: Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices and also consider the following: Monitor liveness of PI Network Manager and PI Archive Subsystem services. Set the PI Network Manager and PI Archive Subsystem services to automatically restart. Limit port 5450 access to trusted workstations and software. For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements. For a starting point on PI system security best practices, see knowledge base article KB00833 - Best practices for securing your PI Server.

Mitigation: AVEVA further recommends users follow general defensive measures:

AVEVA further recommends users follow general defensive measures:

Mitigation: Set the PI Network Manager and PI Archive Subsystem services to automatically restart.

Set the PI Network Manager and PI Archive Subsystem services to automatically restart.

Mitigation: For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Po

For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements.

Mitigation: For additional information please refer to AVEVA-2025-001.

For additional information please refer to AVEVA-2025-001.

Mitigation: For a starting point on PI System security best practices, see knowledge base article KB00833 - Seve

For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.

Mitigation: Monitor liveness of PI Network Manager and PI Archive Subsystem services.

Monitor liveness of PI Network Manager and PI Archive Subsystem services.

Mitigation: Limit Port 5450 access to trusted workstations and software.

Limit Port 5450 access to trusted workstations and software.

Mitigation: AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their oper

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected product versions should apply security updates to mitigate the risk of exploit.

Patch: (CVE-2025-44019, CVE-2025-36539) All affected versions of PI Data Archive and PI Server can be fixed

(CVE-2025-44019, CVE-2025-36539) All affected versions of PI Data Archive and PI Server can be fixed by upgrading to PI Server 2024 or higher. From OSISoft Customer Portal, search for "AVEVA PI Server" and select version 2024 or higher.

Mitigation: Impact and severity of vulnerabilities can be reduced through industry accepted IT practices. Please

Impact and severity of vulnerabilities can be reduced through industry accepted IT practices. Please consult your IT engineer for advice on how to best implement these firewall restrictions in your organization's architecture. OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration.