Rockwell Automation ThinManager

Plan PatchCVSS 7.8ICS-CERT ICSA-25-119-01Apr 15, 2025

Rockwell Automation

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Two vulnerabilities exist in Rockwell Automation ThinManager: a local privilege escalation flaw (CVE-2025-3617) and a denial-of-service condition (CVE-2025-3618). Successful exploitation requires local access to the ThinManager workstation and could allow an attacker to escalate privileges, run arbitrary commands, and disrupt service.

What this means

What could happen

An attacker with local access to a ThinManager device could escalate privileges and run arbitrary commands, potentially disrupting remote access to your thin clients and control network devices or denying service to connected equipment.

Who's at risk

Water utilities and electric utilities using Rockwell Automation ThinManager for remote device management and thin client control. ThinManager is commonly used to manage remote access to PLCs, RTUs, and HMIs in water treatment plants and substations.

How it could be exploited

An attacker must first gain local access to the ThinManager workstation (via physical access, compromised account, or initial remote compromise). Once local, they exploit a privilege escalation vulnerability to run commands as a higher-privilege user, which could disrupt ThinManager's ability to manage remote devices or cause the service to crash.

Prerequisites

Local user account on the ThinManager device
Windows operating system with ThinManager installed

low complexity privilege escalationlocal access required but common in engineering environmentsaffects remote management capability

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Local Privilege EscalationAll versionsNo fix yet

ThinManager: <=14.0.0≤ 14.0.014.0.2

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict local login access to ThinManager workstations to authorized engineering personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinManager to v14.0.2 or later

HOTFIXFor older ThinManager versions still in use, apply vendor patches: v11.2.11, v12.0.9, v13.1.5, or v13.2.4

Long-term hardening

0/1

HARDENINGImplement Windows local account and Group Policy hardening to limit privilege escalation vectors

CVEs (2)

CVE-2025-3618 CVE-2025-3617

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a8f0251-4c50-422b-beb9-62865632bcff

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.