CVE-2023-27856
published 2023-03-22CVE-2023-27856: In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
76.13%
99.5th percentile
In affected versions, path traversal exists when processing a message of type 8
in Rockwell Automation's ThinManager ThinServer.
An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwellautomation | thinmanager | — | — |
| rockwellautomation | thinmanager | — | — |
| rockwellautomation | thinmanager | 11.0.0 – 11.0.5 | — |
| rockwellautomation | thinmanager | 11.1.0 – 11.1.5 | — |
| rockwellautomation | thinmanager | 11.2.0 – 11.2.6 | — |
| rockwellautomation | thinmanager | 12.0.0 – 12.0.4 | — |
| rockwellautomation | thinmanager | 12.1.0 – 12.1.5 | — |
| rockwellautomation | thinmanager | 6.0.0 – 10.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2023-27856 exploitation by monitoring TCP port 2031 for message type 8 (hdr.type = 0x0008) packets containing path traversal sequences (e.g., '..\' repeated sequences) in the file_name field. ↗
- →The exploit request begins with the two-byte big-endian message type 0x0008 followed by flags 0x0001 (request). Network signatures should match the byte pattern '00 08 00 01' at the start of the TCP payload on port 2031. ↗
- →Monitor for unexpected file creation under C:\ProgramData\Rockwell Software\ThinManager\tmp\ (tmpinstallfile_* pattern), which may indicate exploitation of the related heap buffer overflow (CVE-2023-27857) chained with the path traversal download. ↗
- →Block or alert on inbound connections to TCP port 2031 from sources other than known thin clients and ThinManager servers, as this is the default listening port for the vulnerable ThinServer.exe service. ↗
- →The vulnerable service runs as NT AUTHORITY\SYSTEM; any process spawned from ThinServer.exe or unexpected file reads initiated by it should be treated as high-severity indicators of compromise. ↗
- ·Versions 6.x–10.x are retired and will not receive patches; environments running these versions remain permanently vulnerable and require upgrade to a supported release. ↗
- ·The path traversal download (CVE-2023-27856) can be chained with the heap buffer overflow (CVE-2023-27857) to first generate memory-leaking tmp files and then exfiltrate them, increasing the effective impact beyond a simple file read. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9hjj-m2fc-f62r: A path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer
ghsa_unreviewed·2023-03-22
CVE-2023-27856 [HIGH] CWE-22 GHSA-9hjj-m2fc-f62r: A path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer
A path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.
CISA ICS
Rockwell Automation ThinManager
cisa_ics·2023-03-21·CVSS 9.8
[CRITICAL] Rockwell Automation ThinManager
ICS Advisory
##
Rockwell Automation ThinManager
Release DateMarch 21, 2023
Alert CodeICSA-23-080-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: ThinManager ThinServer
- Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software, are affected:
- ThinManager ThinServer: Versions 6.x –
No detection rules found.
2023-03-22
Published