cbcvebase.
CVE-2023-2915
published 2023-08-17

CVE-2023-2915: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal…

PriorityP182critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
78.09%
99.5th percentile
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message resulting in a denial-of-service condition.

Affected

14 ranges
VendorProductVersion rangeFixed in
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwellautomationthinmanager_thinserver
rockwellautomationthinmanager_thinserver11.0.0 – 11.0.6
rockwellautomationthinmanager_thinserver11.1.0 – 11.1.6
rockwellautomationthinmanager_thinserver11.2.0 – 11.2.7
rockwellautomationthinmanager_thinserver12.0.0 – 12.0.5
rockwellautomationthinmanager_thinserver12.1.0 – 12.1.6
rockwellautomationthinmanager_thinserver13.0.0 – 13.0.2

Detection & IOCsextracted from sources · hover to see the quote

port2031
commandpython3 thinserver_path_traversal_file_deletion.py -t -p 2031 -f '\tmp\delete_me.txt'
processThinServer.exe
  • CVE-2023-2915 is triggered by a crafted synchronization protocol message of type 21 (0x0015) sent to TCP port 2031. The message contains path traversal sequences (e.g., '..\') in the files[] field to target arbitrary file paths for deletion under SYSTEM context. Monitor for message type 0x0015 with traversal patterns on port 2031.
  • The exploit message of type 21 begins with header bytes '00 15 00 21' (type=0x0015, flags=0x0021). Network detection rules should inspect TCP port 2031 traffic for this byte pattern combined with path traversal sequences ('2E 2E 5C' = '..\').
  • Restrict inbound TCP port 2031 access to known thin clients and ThinManager servers only to reduce attack surface for unauthenticated exploitation.
  • The vulnerability affects ThinManager ThinServer versions 11.0.0 through 13.1.0. Inventory and flag any unpatched instances of ThinServer.exe within these version ranges as high-priority targets.
  • ·The synchronization protocol message structure for type 21 includes a variable fcount field indicating the number of files to delete, followed by null-terminated file path strings. The path traversal payload uses repeated '../' sequences prepended to the target path. Exploit tooling must correctly serialize this structure to trigger the vulnerability.
  • ·The ThinServer synchronization service runs as NT AUTHORITY\SYSTEM, meaning any file deleted via this vulnerability is removed with full system privileges. No authentication is required to send the malicious message.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.