Rockwell Local Privilege Escalation and denial-of-service Vulnerability in ThinManager®

Monitor7.8SD1727Apr 15, 2025

Summary

A local privilege escalation vulnerability exists in Rockwell ThinManager that allows an attacker with local user-level access to escalate to system privileges without authentication. The vulnerability also enables denial-of-service attacks against the ThinManager service. No patch is currently available from Rockwell Automation. The flaw affects all versions of ThinManager and is tracked under ROCKWELL SD1727 with CVSS 7.8 (High).

What this means

What could happen

An attacker with local access to a ThinManager workstation could escalate privileges to system level, potentially modifying HMI configurations, altering process controls, or disrupting visualization of plant operations. Denial-of-service conditions could interrupt monitoring and control of critical equipment.

Who's at risk

Operators and IT staff at water utilities, electric utilities, and manufacturing plants using Rockwell ThinManager for HMI visualization and control should assess their deployment. ThinManager is commonly used to remotely monitor and control PLCs and other control devices in industrial environments. Any facility where an operator workstation is shared among multiple users or where local console access is not strictly controlled faces elevated risk.

How it could be exploited

An attacker with local user account access to a ThinManager workstation exploits a privilege escalation flaw to gain system-level privileges. From there, they can modify HMI configurations, interfere with process control commands sent to PLCs, or crash the ThinManager service to disrupt operator visibility and control.

Prerequisites

Local user account on the ThinManager workstation
Physical or remote desktop access to the machine
No elevated privileges required to trigger the vulnerability

no patch availablelocal privilege escalationaffects HMI and operator controldenial-of-service capabilitylow attack complexity

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Local Privilege EscalationAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local user access to ThinManager workstations to trusted personnel only; enforce strong authentication and account provisioning controls

HARDENINGImplement application whitelisting and disable unnecessary local accounts on ThinManager systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor ThinManager process logs for unusual privilege escalation attempts or service crashes indicative of DoS activity

Long-term hardening

0/1

HARDENINGSegment ThinManager workstations on a dedicated network with strict inbound/outbound access controls to limit lateral movement if a workstation is compromised

CVEs (2)

CVE-2025-3617 CVE-2025-3618

View full Rockwell Automation advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c250ba60-25f1-40f3-ae3e-a50c5aa02e19