CVE-2023-27855
published 2023-03-22CVE-2023-27855: In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.45%
96.0th percentile
In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwellautomation | thinmanager | — | — |
| rockwellautomation | thinmanager | — | — |
| rockwellautomation | thinmanager | 11.0.0 – 11.0.5 | — |
| rockwellautomation | thinmanager | 11.1.0 – 11.1.5 | — |
| rockwellautomation | thinmanager | 11.2.0 – 11.2.6 | — |
| rockwellautomation | thinmanager | 12.0.0 – 12.0.4 | — |
| rockwellautomation | thinmanager | 12.1.0 – 12.1.5 | — |
| rockwellautomation | thinmanager | 6.0.0 – 10.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated connections to TCP port 2031 on ThinManager hosts, especially from sources other than known thin clients or ThinManager servers. ↗
- →Detect path traversal exploitation by inspecting message type 7 or 35 payloads on TCP/2031 for sequences of '../' or '..\' in the file_name field, indicating an attempt to write outside the intended directory. ↗
- →Alert on unexpected file creation or modification of executable files (e.g., .exe) under the ThinManager installation directory, particularly by ThinServer.exe running as NT AUTHORITY\SYSTEM. ↗
- →Detect exploitation of CVE-2023-27857 by monitoring for a large number of tmp files being created in C:\ProgramData\Rockwell Software\ThinManager\tmp\ in a short time period. ↗
- →Detect the path traversal upload request by looking for the message type byte sequence '00 07' or '00 23' (types 7 and 35) at the start of a TCP/2031 payload followed by repeated '2E 2E 5C' (..\) patterns in the body. ↗
- ·The vulnerability is exploitable without authentication; no credentials are required to send malicious message types 7 or 35 to the ThinServer synchronization thread on TCP/2031. ↗
- ·ThinServer.exe runs as NT AUTHORITY\SYSTEM, meaning any uploaded/overwritten executable will execute with full system privileges. ↗
- ·Versions 6.x–10.x are retired and will not receive patches; operators must upgrade to a supported version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pp6m-q8hc-23jj: A path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer
ghsa_unreviewed·2023-03-22
CVE-2023-27855 [CRITICAL] CWE-22 GHSA-pp6m-q8hc-23jj: A path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer
A path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.
CISA ICS
Rockwell Automation ThinManager
cisa_ics·2023-03-21·CVSS 9.8
[CRITICAL] Rockwell Automation ThinManager
ICS Advisory
##
Rockwell Automation ThinManager
Release DateMarch 21, 2023
Alert CodeICSA-23-080-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: ThinManager ThinServer
- Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software, are affected:
- ThinManager ThinServer: Versions 6.x –
No detection rules found.
2023-03-22
Published