cbcvebase.
CVE-2023-27855
published 2023-03-22

CVE-2023-27855: In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.45%
96.0th percentile
In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.

Affected

15 ranges
VendorProductVersion rangeFixed in
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwellautomationthinmanager
rockwellautomationthinmanager
rockwellautomationthinmanager11.0.0 – 11.0.5
rockwellautomationthinmanager11.1.0 – 11.1.5
rockwellautomationthinmanager11.2.0 – 11.2.6
rockwellautomationthinmanager12.0.0 – 12.0.4
rockwellautomationthinmanager12.1.0 – 12.1.5
rockwellautomationthinmanager6.0.0 – 10.0.2

Detection & IOCsextracted from sources · hover to see the quote

port2031/TCP
pathC:\ProgramData\Rockwell Software\ThinManager\tmp\
processThinServer.exe
  • Monitor for unauthenticated connections to TCP port 2031 on ThinManager hosts, especially from sources other than known thin clients or ThinManager servers.
  • Detect path traversal exploitation by inspecting message type 7 or 35 payloads on TCP/2031 for sequences of '../' or '..\' in the file_name field, indicating an attempt to write outside the intended directory.
  • Alert on unexpected file creation or modification of executable files (e.g., .exe) under the ThinManager installation directory, particularly by ThinServer.exe running as NT AUTHORITY\SYSTEM.
  • Detect exploitation of CVE-2023-27857 by monitoring for a large number of tmp files being created in C:\ProgramData\Rockwell Software\ThinManager\tmp\ in a short time period.
  • Detect the path traversal upload request by looking for the message type byte sequence '00 07' or '00 23' (types 7 and 35) at the start of a TCP/2031 payload followed by repeated '2E 2E 5C' (..\) patterns in the body.
  • ·The vulnerability is exploitable without authentication; no credentials are required to send malicious message types 7 or 35 to the ThinServer synchronization thread on TCP/2031.
  • ·ThinServer.exe runs as NT AUTHORITY\SYSTEM, meaning any uploaded/overwritten executable will execute with full system privileges.
  • ·Versions 6.x–10.x are retired and will not receive patches; operators must upgrade to a supported version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.