Rockwell Automation ThinManager

Plan PatchCVSS 7.2ICS-CERT ICSA-25-252-01Sep 9, 2025

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Rockwell Automation ThinManager (CWE-918) allows an attacker with high-privilege access to capture the NTLM authentication hash of the ThinServer service account. This hash could be used to authenticate as the service account and potentially move laterally within the network. Versions 13.0 through 14.0 are affected; the vulnerability is corrected in version 14.1 and later. Older versions (pre-13.0) are not eligible for patching.

What this means

What could happen

An attacker with high privileges could exploit an SSRF vulnerability to capture the ThinServer service account NTLM hash, potentially enabling credential theft and lateral movement within your network.

Who's at risk

Organizations operating Rockwell Automation ThinManager in manufacturing, automotive, pharmaceuticals, or utilities should assess this risk. ThinManager is commonly used for terminal emulation and thin-client management; compromise of the ThinServer service account could allow lateral movement into process networks and access to backend systems that the service account can reach.

How it could be exploited

An attacker with administrative or high-privilege access to ThinManager initiates a Server-Side Request Forgery (SSRF) attack that tricks the ThinServer service into making unauthorized network requests. This allows the attacker to intercept and capture the NTLM authentication hash used by the ThinServer service account, which could then be used to authenticate as that service in other parts of your network.

Prerequisites

High-privilege access to ThinManager console (administrative credentials)
Network access to ThinManager application

High privilege required to exploitAllows credential theft (NTLM hash exposure)Affects service account with potential network privileges

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

ThinManager SSRF VulnerabilityAll versionsNo fix (EOL)

ThinManager: >=13.0|<=14.0≥ 13.0|≤ 14.014.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to ThinManager to authorized users only; do not expose to the internet or untrusted networks

HARDENINGLimit administrative access to ThinManager to a minimal set of authorized personnel

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ThinManager to version 14.1 or later

HARDENINGDisable NTLM authentication on SMB connections in Windows Server and restrict to Kerberos or other stronger protocols

CVEs (1)

CVE-2025-9065

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fa9b6db2-501f-4706-9a23-b24d6ee1401d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.