cbcvebase.
CVE-2023-27856
published 2023-03-22

CVE-2023-27856: In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
76.13%
99.5th percentile
In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

Affected

15 ranges
VendorProductVersion rangeFixed in
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwellautomationthinmanager
rockwellautomationthinmanager
rockwellautomationthinmanager11.0.0 – 11.0.5
rockwellautomationthinmanager11.1.0 – 11.1.5
rockwellautomationthinmanager11.2.0 – 11.2.6
rockwellautomationthinmanager12.0.0 – 12.0.4
rockwellautomationthinmanager12.1.0 – 12.1.5
rockwellautomationthinmanager6.0.0 – 10.0.2

Detection & IOCsextracted from sources · hover to see the quote

port2031/TCP
path\ProgramData\Rockwell Software\ThinManager\tmp\
processThinServer.exe
path\Program Files\Rockwell Software\ThinManager\evil.exe
  • Detect CVE-2023-27856 exploitation by monitoring TCP port 2031 for message type 8 (hdr.type = 0x0008) packets containing path traversal sequences (e.g., '..\' repeated sequences) in the file_name field.
  • The exploit request begins with the two-byte big-endian message type 0x0008 followed by flags 0x0001 (request). Network signatures should match the byte pattern '00 08 00 01' at the start of the TCP payload on port 2031.
  • Monitor for unexpected file creation under C:\ProgramData\Rockwell Software\ThinManager\tmp\ (tmpinstallfile_* pattern), which may indicate exploitation of the related heap buffer overflow (CVE-2023-27857) chained with the path traversal download.
  • Block or alert on inbound connections to TCP port 2031 from sources other than known thin clients and ThinManager servers, as this is the default listening port for the vulnerable ThinServer.exe service.
  • The vulnerable service runs as NT AUTHORITY\SYSTEM; any process spawned from ThinServer.exe or unexpected file reads initiated by it should be treated as high-severity indicators of compromise.
  • ·Versions 6.x–10.x are retired and will not receive patches; environments running these versions remain permanently vulnerable and require upgrade to a supported release.
  • ·The path traversal download (CVE-2023-27856) can be chained with the heap buffer overflow (CVE-2023-27857) to first generate memory-leaking tmp files and then exfiltrate them, increasing the effective impact beyond a simple file read.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.