Rockwell Automation ThinManager
MonitorCVSS 6.8ICS-CERT ICSA-24-256-25Sep 12, 2024
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary
Rockwell Automation ThinManager versions 13.1.0 through 13.1.2 and 13.2.0 through 13.2.1 contain a remote code execution vulnerability. Successful exploitation could allow an attacker with valid credentials and network access to execute arbitrary code on the ThinManager server. ThinManager is a thin client terminal software commonly used in industrial environments to provide access to control system interfaces, HMIs, and remote operations.
What this means
What could happen
An attacker with valid user credentials and local network access to ThinManager could execute arbitrary code on the system, potentially allowing them to manipulate industrial processes, alter HMI displays, or disrupt operations controlled through the thin client interface.
Who's at risk
Water utilities and electric utilities using Rockwell Automation ThinManager for remote thin client access to control systems and HMIs should prioritize patching. Any organization using ThinManager v13.1.0–13.1.2 or v13.2.0–13.2.1 is affected. This is particularly critical for facilities where ThinManager is used to manage PLCs, drives, or process control systems across multiple production lines or remote sites.
How it could be exploited
An attacker with valid ThinManager credentials and network access to the ThinManager server could exploit the vulnerability to execute remote code on the server. This requires the attacker to have an existing user account and network visibility to the ThinManager service (typically accessed via local network or VPN).
Prerequisites
- Valid ThinManager user credentials (non-guest account)
- Network access to ThinManager server port (default typically port 1900 or 2000)
- User interaction or session required to trigger payload (per CVSS UI:R flag)
Remotely exploitable over networkRequires valid user credentials (moderates risk)Low attack complexityHigh impact: remote code execution on control system interfaceUser interaction required to trigger (moderates immediacy)
Exploitability
Some exploitation risk — EPSS score 3.3%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
ThinManager: >=V13.1.0|<13.1.2≥ V13.1.0|<13.1.213.1.3
ThinManager: >=V13.2.0|<13.2.1≥ V13.2.0|<13.2.113.1.3
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to ThinManager server to authorized engineering workstations and thin client devices only; use firewall rules to block access from untrusted network segments
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate ThinManager v13.1.X systems to version 13.1.3 or later
HOTFIXUpdate ThinManager v13.2.X systems to version 13.2.2 or later
HARDENINGDisable any ThinManager web interface or remote management features if not actively used; restrict access to engineering workstations on the internal network only
Long-term hardening
0/1HARDENINGIf remote access to ThinManager is required, enforce access through a VPN with multi-factor authentication rather than direct network exposure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/83ea7df4-e3f2-41d1-85c8-58193ccb18f5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.