cbcvebase.
CVE-2023-2917
published 2023-08-17

CVE-2023-2917: The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability. Due to an improper input validation, a path traversal…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.84%
99.2th percentile
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability. Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message and potentially gain remote code execution abilities.

Affected

14 ranges
VendorProductVersion rangeFixed in
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwellautomationthinmanager_thinserver
rockwellautomationthinmanager_thinserver11.0.0 – 11.0.6
rockwellautomationthinmanager_thinserver11.1.0 – 11.1.6
rockwellautomationthinmanager_thinserver11.2.0 – 11.2.7
rockwellautomationthinmanager_thinserver12.0.0 – 12.0.5
rockwellautomationthinmanager_thinserver12.1.0 – 12.1.6
rockwellautomationthinmanager_thinserver13.0.0 – 13.0.2

Detection & IOCsextracted from sources · hover to see the quote

port2031
processThinServer.exe
bytes
00 26 00 21 00 00 00 79 ... 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 5C
  • Monitor TCP port 2031 for unauthenticated inbound connections from unexpected sources; the vulnerable ThinServer synchronization service listens on this port by default.
  • Detect message type 38 (SYNC_MSG_SEND_FILE_BACKGROUND) on TCP/2031 containing path traversal sequences (e.g., repeated '..\' bytes: 2E 2E 5C) in the file_name field, indicating an arbitrary file upload attempt.
  • Detect message type 21 on TCP/2031 containing path traversal sequences (repeated '..\') in the files field, indicating an arbitrary file deletion attempt under SYSTEM context.
  • Alert on new or modified executable files (e.g., .exe, .dll) written to system directories (e.g., Windows\System32) by ThinServer.exe, which may indicate successful exploitation and RCE staging.
  • Detect message type 13 on TCP/2031 where the dsize field is set to 0x7FFFFFFF (bytes: 7F FF FF FF), which triggers the integer overflow in GetDataFromMsgBody and causes an access violation / DoS.
  • ·The vulnerability affects ThinManager ThinServer versions 11.0.0 through 13.1.0; the synchronization service runs as NT AUTHORITY\SYSTEM, maximizing impact of exploitation.
  • ·No authentication is required to send crafted synchronization protocol messages to TCP/2031, making this remotely exploitable by any unauthenticated attacker with network access.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.