Rockwell Automation ThinManager ThinServer

Act Now9.8ICS-CERT ICSA-23-234-03Aug 22, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in ThinManager ThinServer allows remote deletion of arbitrary files with system privileges. An attacker can exploit this by sending a specially crafted request to TCP port 2031 without authentication. Affected versions include 11.0.0–11.0.6, 11.1.0–11.1.6, 11.2.0–11.2.6, 12.0.0–12.0.5, 12.1.0–12.1.6, 13.0.0–13.0.2, and 13.1.0. Rockwell Automation has released patched versions for all affected release branches.

What this means

What could happen

An attacker could remotely delete arbitrary files with system privileges on ThinServer, potentially destroying configuration files, logs, or system files that could halt operations or corrupt critical data.

Who's at risk

Organizations using Rockwell Automation ThinManager ThinServer for remote access management in manufacturing, water treatment, electric utilities, and other industrial environments. This is a centralized management platform that controls access to HMI (human-machine interface) terminals and industrial devices.

How it could be exploited

An attacker with network access to TCP port 2031 (ThinServer's communication port) can send a specially crafted request to trigger a file deletion vulnerability without requiring authentication or user interaction.

Prerequisites

Network access to TCP port 2031 on ThinServer
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (40.7%)affects control system management infrastructure

Exploitability

High exploit probability (EPSS 40.7%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

ThinManager ThinServer: >= 11.0.0 | <= 11.0.6≥ 11.0.0 | ≤ 11.0.611.0.7

ThinManager ThinServer: >= 11.1.0 | <= 11.1.6≥ 11.1.0 | ≤ 11.1.611.1.7

ThinManager ThinServer: >= 11.2.0 | <= 11.2.6≥ 11.2.0 | ≤ 11.2.611.2.8

ThinManager ThinServer: >= 12.1.0 | <= 12.1.6≥ 12.1.0 | ≤ 12.1.612.1.7

ThinManager ThinServer: >= 12.0.0 | <= 12.0.5≥ 12.0.0 | ≤ 12.0.512.0.6

ThinManager ThinServer: >= 13.0.0 | <= 13.0.2≥ 13.0.0 | ≤ 13.0.213.0.3

ThinManager ThinServer: 13.1.013.1.013.1.1

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict remote access to TCP port 2031 to only known thin clients and authorized ThinManager servers using a firewall or network ACL

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinManager ThinServer to the patched version (11.0.7, 11.1.7, 11.2.8, 12.0.6, 12.1.7, 13.0.3, or 13.1.1 depending on your current version)

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate ThinServer from untrusted networks and limit who can reach port 2031

CVEs (3)

CVE-2023-2914 CVE-2023-2915 CVE-2023-2917

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/88220925-6e18-46bd-b9e6-70be7619f9d1