Rockwell Automation FactoryTalk ThinManager

Act Now9.8ICS-CERT ICSA-24-305-01Oct 31, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation FactoryTalk ThinManager contains input validation (CWE-125) and missing authentication (CWE-306) vulnerabilities. Successful exploitation allows an attacker to send crafted messages resulting in database manipulation or denial of service. Affected versions: ThinManager 11.2.0–11.2.8, 12.0.0–12.0.6, 12.1.0–12.1.7, 13.0.0–13.0.4, 13.1.0–13.1.2, 13.2.0–13.2.1, and 14.0.0.

What this means

What could happen

An attacker could send malicious messages to ThinManager to manipulate its database or crash the service, disrupting terminal management and visualization across your connected operator stations and remote access points.

Who's at risk

Water authorities and electric utilities using Rockwell Automation ThinManager for terminal server management and operator station access. Any site relying on ThinManager for remote visualization, terminal emulation, or centralized device management should assess their version immediately.

How it could be exploited

An attacker on the network sends specially crafted messages to ThinManager's listening service (TCP 2031). The vulnerability lacks proper input validation (CWE-125) and authentication checks (CWE-306), allowing the messages to reach backend database functions without verification. This could corrupt configuration data or trigger a denial-of-service.

Prerequisites

Network access to TCP 2031 on the ThinManager device
No valid credentials required
Attacker must be reachable from same network segment or have routed network path to the device

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS (9.8)Affects terminal management infrastructureDatabase manipulation potential

Exploitability

Moderate exploit probability (EPSS 3.7%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

ThinManager: >=12.0.0|<12.0.7≥ 12.0.0|<12.0.711.2.9

ThinManager: >=12.1.0|<12.1.8≥ 12.1.0|<12.1.811.2.9

ThinManager: >=13.0.0|<13.0.5≥ 13.0.0|<13.0.511.2.9

ThinManager: >=11.2.0|<11.2.9≥ 11.2.0|<11.2.911.2.9

ThinManager: >=13.1.0|<13.1.3≥ 13.1.0|<13.1.311.2.9

ThinManager: >=13.2.0|<13.2.2≥ 13.2.0|<13.2.211.2.9

ThinManager: 14.0.014.0.011.2.9

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to TCP 2031 on ThinManager to only authorized devices (terminals, engineering workstations, remote access gateways that require connection)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply vendor patches to ThinManager: upgrade to version 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, 13.2.2, or later depending on your current version

Long-term hardening

0/2

HARDENINGIsolate ThinManager on a separate VLAN or behind a firewall that limits inbound connections from business networks and the internet

HARDENINGIf remote access to ThinManager is required, route all connections through a VPN with current security patches

CVEs (2)

CVE-2024-10386 CVE-2024-10387

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16de1b7f-f50d-4bb3-a6f5-7df1052d39a0