Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote unauthenticated against the login endpoint (AV:N/PR:N/UI:N); race condition makes exploitation timing-dependent so AC:H; token grants full app access yielding C:H/I:H with limited A:L.
Primary rating from Vendor (Rockwell).
CVSS VectorVendor: Rockwell
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An authentication bypass security issue exists within FactoryTalk Historian Site Edition. By continually sending requests to the login endpoint, an attacker may obtain a valid authentication token.
AnalysisAI
Authentication bypass in Rockwell Automation FactoryTalk Historian Site Edition allows remote attackers to obtain a valid authentication token by repeatedly hammering the login endpoint, exploiting a race condition (CWE-362) in the authentication flow. The flaw carries a CVSS 4.0 score of 9.2 with network attack vector and no privileges required, though successful exploitation depends on winning a timing window (AT:P). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
FactoryTalk Historian Site Edition is Rockwell Automation's industrial data historian used to collect, store, and analyze time-series process data from PLCs and SCADA systems in manufacturing and critical infrastructure environments (cpe:2.3:a:rockwell_automation:factorytalk_historian_se). The underlying weakness is CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization, a.k.a. race condition), indicating that the login endpoint's token issuance or session state is not properly synchronized - concurrent requests can cause the authentication check and token generation to interleave in a way that yields a valid token without valid credentials. The CVSS 4.0 vector's AT:P (attack requirements: present) confirms that exploitation depends on race timing rather than being a trivial logic flaw.
RemediationAI
Patch available per vendor advisory: consult Rockwell Automation Security Advisory SD1773 (https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1773.html) for the fixed FactoryTalk Historian SE release and apply it on all instances. Until the update is deployed, compensating controls include restricting network reachability of the Historian's web/login endpoint to a dedicated OT management VLAN and trusted engineering workstations via firewall ACLs (trade-off: blocks legitimate remote operator access and may require VPN/jump-host workflow), placing rate-limiting or a reverse proxy in front of the login endpoint to throttle the concurrent request burst the race requires (trade-off: may disrupt legitimate automation that authenticates frequently), and monitoring authentication logs for bursts of near-simultaneous login attempts from a single source as a detection signal.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210168
GHSA-q6qc-22qv-jjr8