OTPulse
FeedAboutContact

Rockwell Automation ThinManager

Plan Patch7.2ICS-CERT ICSA-25-252-01Sep 9, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Rockwell Automation ThinManager versions 13.0 through 14.0 allows an attacker with high-privilege access to expose the ThinServer service account NTLM hash. Successful exploitation could expose credentials used by the ThinServer service, potentially enabling lateral movement or access to other networked resources.

What this means
What could happen
An attacker with high privilege access to ThinManager could capture the ThinServer service account's NTLM credentials, enabling them to move laterally within your network or access other systems using those credentials.
Who's at risk
Water utilities, electric utilities, and manufacturing plants using Rockwell Automation ThinManager for terminal management and visualization (versions 13.0 through 14.0) should be aware that their ThinServer service accounts are at risk of credential exposure.
How it could be exploited
An attacker with administrator or high-privilege access to ThinManager could trigger a forced NTLM authentication event that exposes the ThinServer service account hash. This hash could then be cracked offline or relayed to gain access to other network resources.
Prerequisites
  • High-privilege credentials or access to ThinManager (administrator role)
  • Network access to ThinManager service
  • Ability to initiate authentication from the ThinServer service account
Requires high-privilege accessLow network complexityCredential exposure enables lateral movementService account compromise could affect connected systems
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
ThinManager: >=13.0|<=14.0≥ 13.0|≤ 14.014.1
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDBlock NTLM connections on SMB in Windows Server 2025 using Microsoft security guidance
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ThinManager to version 14.1 or later
Long-term hardening
0/2
HARDENINGIsolate ThinManager and ThinServer systems behind firewalls, restricting network access from business networks and internet
HARDENINGImplement network segmentation to limit lateral movement if service account credentials are compromised
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fa9b6db2-501f-4706-9a23-b24d6ee1401d
Rockwell Automation ThinManager | CVSS 7.2 - OTPulse