CVE-2023-2915
published 2023-08-17CVE-2023-2915: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal…
PriorityP182critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
78.09%
99.5th percentile
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message resulting in a denial-of-service condition.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwellautomation | thinmanager_thinserver | — | — |
| rockwellautomation | thinmanager_thinserver | 11.0.0 – 11.0.6 | — |
| rockwellautomation | thinmanager_thinserver | 11.1.0 – 11.1.6 | — |
| rockwellautomation | thinmanager_thinserver | 11.2.0 – 11.2.7 | — |
| rockwellautomation | thinmanager_thinserver | 12.0.0 – 12.0.5 | — |
| rockwellautomation | thinmanager_thinserver | 12.1.0 – 12.1.6 | — |
| rockwellautomation | thinmanager_thinserver | 13.0.0 – 13.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-2915 is triggered by a crafted synchronization protocol message of type 21 (0x0015) sent to TCP port 2031. The message contains path traversal sequences (e.g., '..\') in the files[] field to target arbitrary file paths for deletion under SYSTEM context. Monitor for message type 0x0015 with traversal patterns on port 2031. ↗
- →The exploit message of type 21 begins with header bytes '00 15 00 21' (type=0x0015, flags=0x0021). Network detection rules should inspect TCP port 2031 traffic for this byte pattern combined with path traversal sequences ('2E 2E 5C' = '..\'). ↗
- →Restrict inbound TCP port 2031 access to known thin clients and ThinManager servers only to reduce attack surface for unauthenticated exploitation. ↗
- →The vulnerability affects ThinManager ThinServer versions 11.0.0 through 13.1.0. Inventory and flag any unpatched instances of ThinServer.exe within these version ranges as high-priority targets. ↗
- ·The synchronization protocol message structure for type 21 includes a variable fcount field indicating the number of files to delete, followed by null-terminated file path strings. The path traversal payload uses repeated '../' sequences prepended to the target path. Exploit tooling must correctly serialize this structure to trigger the vulnerability. ↗
- ·The ThinServer synchronization service runs as NT AUTHORITY\SYSTEM, meaning any file deleted via this vulnerability is removed with full system privileges. No authentication is required to send the malicious message. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation ThinManager ThinServer
cisa_ics·2023-08-22·CVSS 7.5
[HIGH] Rockwell Automation ThinManager ThinServer
ICS Advisory
##
Rockwell Automation ThinManager ThinServer
Release DateAugust 22, 2023
Alert CodeICSA-23-234-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: ThinManager ThinServer
- Vulnerabilities: Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to remotely delete arbitrary files with system privileges.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Rockwell Automation reports this vulnerability affects the following versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software:
- ThinManager ThinServer: Versions 11.0.0-11.0.6
- ThinManage
GHSA
GHSA-j8wc-x537-84cv: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path tra
ghsa_unreviewed·2023-08-17
CVE-2023-2915 [CRITICAL] CWE-20 GHSA-j8wc-x537-84cv: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path tra
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message resulting in a denial-of-service condition.
No detection rules found.
Tenable
Rockwell Automation ThinManager ThinServer Multiple Vulnerabilities
blogs_tenable·2023-08-17
Rockwell Automation ThinManager ThinServer Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-08-17
Published