Rockwell Automation ThinManager ThinServer

Act Now9.8ICS-CERT ICSA-24-242-01Aug 29, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation ThinManager ThinServer contains input validation and access control vulnerabilities (CWE-20, CWE-269, CWE-732) that allow unauthenticated attackers to read arbitrary files and execute arbitrary code with system privileges. Successful exploitation could enable an attacker to compromise the ThinServer host and potentially control connected industrial devices and automation systems.

What this means

What could happen

An attacker with network access to ThinServer could read sensitive files from the system or execute arbitrary code with system-level privileges, potentially allowing them to manipulate plant operations, modify process configurations, or disrupt service availability.

Who's at risk

This affects sites using Rockwell Automation ThinManager ThinServer for remote monitoring and management of industrial devices, PLCs, and HMI systems. Facilities managing manufacturing lines, utilities (water, electric), packaging systems, or any networked automation infrastructure relying on ThinServer are at risk.

How it could be exploited

An attacker on the network can send a specially crafted request to an exposed ThinServer instance without authentication. The server fails to properly validate input or enforce access controls, allowing the attacker to read arbitrary files or execute commands with system privileges on the ThinServer host.

Prerequisites

Network access to ThinServer HTTP/HTTPS port
No authentication required
ThinServer must be reachable from attacker's network segment

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (12.6%)Allows arbitrary code execution with system privilegesAffects plant automation management infrastructure

Exploitability

High exploit probability (EPSS 12.6%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

ThinManager ThinServer: >=11.1.0|<11.1.7≥ 11.1.0|<11.1.711.1.8 or later

ThinManager ThinServer: >=11.2.0|<11.2.8≥ 11.2.0|<11.2.811.1.8 or later

ThinManager ThinServer: >=12.0.0|<12.0.6≥ 12.0.0|<12.0.611.1.8 or later

ThinManager ThinServer: >=12.1.0|<12.1.7≥ 12.1.0|<12.1.711.1.8 or later

ThinManager ThinServer: >=13.0.0|<13.0.4≥ 13.0.0|<13.0.411.1.8 or later

ThinManager ThinServer: >=13.1.0|<13.1.2≥ 13.1.0|<13.1.211.1.8 or later

ThinManager ThinServer: >=13.2.0|<13.2.1≥ 13.2.0|<13.2.111.1.8 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to ThinServer using firewall rules; ensure ThinServer is not directly accessible from the internet or business networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinManager ThinServer to patched versions: 11.1.8 or later, 11.2.9 or later, 12.0.7 or later, 12.1.8 or later, 13.0.5 or later, 13.1.3 or later, or 13.2.2 or later

Long-term hardening

0/2

HARDENINGIsolate ThinServer and all connected control system devices on a dedicated network segment behind a firewall, separate from business networks

HARDENINGIf remote access to ThinServer is required, use a VPN with current security patches and restrict VPN access to authorized personnel only

CVEs (3)

CVE-2024-7986 CVE-2024-7987 CVE-2024-7988

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb10adb1-d804-4d42-86a2-c711228a00a7