External risk intelligence

FactoryTalk Historian Site Edition Authentication Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2025-13036

An authentication bypass exists in FactoryTalk Historian Site Edition, allowing an attacker to obtain a valid token by sending continuous requests to the login endpoint. The primary concern is understanding if this affects your systems, as FactoryTalk Historian Site Edition is typically isolated within internal network

2Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2025-13036

FactoryTalk Historian Site Edition is an industrial operations software typically deployed within internal, segmented manufacturing or process control networks. While the login endpoint is network-reachable, these systems are generally designed to be isolated from the public internet, making public exposure uncommon.

PCI scan relevance

PCI Relevance for CVE-2025-13036

Yes

CVE-2025-13036 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows an attacker to bypass authentication by repeatedly sending requests, which could lead to a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details an authentication bypass vulnerability in FactoryTalk Historian Site Edition, where continuous requests to the login endpoint can grant an attacker a valid authentication token. The main concern is confirming relevance and exposure, as this industrial operations software is typically isolated within internal networks.

  • Bypass login to gain access.
  • Confirm if this affects our systems.
  • Understand potential operational impact.

Attack Path

How an attacker could exploit the issue

An attacker could bypass authentication by repeatedly sending requests to the login endpoint of FactoryTalk Historian Site Edition. This would allow them to obtain a valid authentication token, potentially leading to unauthorized access and control within the system.

  • Requires network access.
  • Continually sending login requests.
  • Unauthorized access to system.

Live Threat

Current exploitation, exposure, and threat context

An attacker who can send repeated requests to the login endpoint of FactoryTalk Historian Site Edition could potentially obtain a valid authentication token. This could affect access to the system's historical data and operational information.

  • Access to system data.
  • Repeated requests to the login endpoint.
  • Unauthorized access to historical data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The vulnerability in FactoryTalk Historian Site Edition likely impacts operational technology (OT) teams and potentially IT security teams responsible for securing industrial control systems. The first practical step is to identify all instances of FactoryTalk Historian Site Edition within the environment, confirm their network exposure and business criticality, and then ascertain the accountable owner before planning remediation.

  • OT and Security teams own this issue.
  • Verify network reachability and business criticality.
  • Plan coordinated remediation based on risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is FactoryTalk Historian Site Edition?

FactoryTalk Historian Site Edition is industrial software used to collect, store, and analyze high-volume time-series data from manufacturing and process control environments. It acts as a central repository for operational technology data, helping engineers and operators track equipment performance and system trends over time.

How does CVE-2025-13036 allow an authentication bypass?

This vulnerability relates to CWE-362, which involves race conditions. In this specific case, the software fails to properly handle a high volume of login attempts. By rapidly firing repeated requests to the login endpoint, an attacker can exploit the timing of these requests to trick the system into granting a valid authentication token without needing legitimate credentials.

Does any specific action trigger this authentication bypass?

The flaw is triggered by an attacker sending a continuous, automated stream of requests to the login endpoint. It is important to note that a single, standard login attempt will not trigger this vulnerability. The bypass requires a specific, repeated pattern of interaction designed to exploit the system's processing timing during the authentication handshake.

Is my system at risk if it is not internet-facing?

Halo Surface Signal indicates that this software is typically found within internal, segmented manufacturing networks rather than on the public internet. While the login endpoint is reachable over a network, its isolation from the open web significantly reduces the likelihood of an external attacker reaching it, making it safer than internet-exposed services.

What should I do if I use FactoryTalk Historian?

Start by locating all instances of the software within your environment and identifying the business teams responsible for them. Verify whether these systems have network pathways that could be accessed by unauthorized users. Once your inventory is complete, coordinate with the accountable owners to review operational impact and plan for necessary security updates or configuration changes.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished