cbcvebase.
CVE-2024-5988
published 2024-06-25

CVE-2024-5988: Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.65%
83.8th percentile
Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.

Affected

21 ranges
VendorProductVersion rangeFixed in
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwell_automationthinmanager_thinserver
rockwellautomationthinmanager>= 11.1.0 < 11.1.811.1.8
rockwellautomationthinmanager>= 11.2.0 < 11.2.911.2.9
rockwellautomationthinmanager>= 12.0.0 < 12.0.712.0.7
rockwellautomationthinmanager>= 12.1.0 < 12.1.812.1.8
rockwellautomationthinmanager>= 13.0.0 < 13.0.513.0.5
rockwellautomationthinmanager>= 13.1.0 < 13.1.313.1.3
rockwellautomationthinmanager>= 13.2.0 < 13.2.213.2.2
rockwellautomationthinserver>= 11.1.0 < 11.1.811.1.8
rockwellautomationthinserver>= 11.2.0 < 11.2.911.2.9
rockwellautomationthinserver>= 12.0.0 < 12.0.712.0.7
rockwellautomationthinserver>= 12.1.0 < 12.1.812.1.8
rockwellautomationthinserver>= 13.0.0 < 13.0.513.0.5
rockwellautomationthinserver>= 13.1.0 < 13.1.313.1.3
rockwellautomationthinserver>= 13.2.0 < 13.2.213.2.2

Detection & IOCsextracted from sources · hover to see the quote

port2031
processThinServer.exe
commandMessage Type 20 synchronization message (Tcl command execution)
  • Monitor for unauthenticated inbound connections on TCP port 2031 to ThinServer processes, especially from hosts that are not known thin clients or ThinManager servers.
  • Detect crafted synchronization messages of type 20 sent to ThinServer.exe; exploitation results in Tcl command execution under SYSTEM context, which may spawn unexpected child processes from ThinServer.exe.
  • Monitor ThinServer.exe for exploitation of the 'GetDataFromMsgBody' function via crafted messages to the monitor thread, which bypasses the partial fix in v13.1.1.9.
  • ·The vulnerability affects ThinManager ThinServer versions 11.1.0, 11.2.0, 12.0.0, 12.1.0, 13.0.0, 13.1.0, and 13.2.0 for CVE-2024-5988. Patched versions are 11.1.8, 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, and 13.2.2.
  • ·The fix in ThinServer.exe v13.1.1.9 is incomplete; the mitigation preventing bad sizes from reaching 'GetDataFromMsgBody' is missing in some caller functions, leaving the monitor thread exploitable.
  • ·No authentication is required to exploit CVE-2024-5988; the attack is fully unauthenticated and network-accessible, running payloads under SYSTEM context.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.