Rockwell Automation ThinManager

Act Now9.8ICS-CERT ICSA-23-080-06Mar 31, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vulnerabilities in Rockwell Automation ThinManager ThinServer versions 6.x through 13.0.1 allow remote code execution or denial of service. The flaws (path traversal and buffer overflow) can be exploited by sending unauthenticated requests to port 2031/TCP. Successful exploitation grants attacker control of the ThinServer process, potentially enabling manipulation of HMI displays, process parameters, or termination of the visualization service. Versions 6.x–10.x are retired. Patched versions are available: 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, 13.0.2. If patching is delayed, restrict port 2031/TCP access to known thin clients and ThinManager servers, and ensure the server is not accessible from the Internet.

What this means

What could happen

An attacker could execute arbitrary code on ThinManager ThinServer remotely, potentially altering visualization setpoints, halting HMI operations, or crashing the software—disrupting real-time visibility and control of industrial processes across all connected thin clients.

Who's at risk

Water authorities and electric utilities using Rockwell Automation ThinManager for HMI/SCADA visualization and remote terminal access. Affects centralized monitoring and thin client management across generation, transmission, water treatment, and distribution operations.

How it could be exploited

An attacker on the network (or from the Internet if port 2031/TCP is exposed) sends a crafted request to ThinManager ThinServer without authentication. The server processes the malformed input insecurely (CWE-22 path traversal or CWE-122 buffer overflow), allowing the attacker to run commands with the privileges of the ThinServer process.

Prerequisites

Network reachability to port 2031/TCP
No credentials required
ThinServer running a vulnerable version (6.x through 13.0.1)

remotely exploitableno authentication requiredlow complexityhigh EPSS score (69.5%)affects HMI/visualization systems

Exploitability

High exploit probability (EPSS 69.5%)

Affected products (1)

ProductAffected VersionsFix Status

ThinManager ThinServer:≥ 6.x | ≤ 10.x; ≥ 11.0.0 | ≤ 11.0.5; ≥ 11.1.0 | ≤ 11.1.5 and 4 more11.0.6

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict inbound access to port 2031/TCP to only known thin clients and ThinManager servers using firewall rules

HARDENINGEnsure ThinManager ThinServer is not reachable from the Internet; place behind firewall and isolate from business network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinManager ThinServer to patched version: 11.0.6, 11.1.6, 11.2.7, 12.0.5, 12.1.6, or 13.0.2 (depending on current version)

Long-term hardening

0/1

HARDENINGReview and implement Rockwell Automation Security Best Practices (QA43240)

CVEs (3)

CVE-2023-27855 CVE-2023-27856 CVE-2023-27857

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5dc5bff4-5362-420d-8884-0140801f1fbc