CVE-2024-7988
published 2024-08-26CVE-2024-7988: A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code with…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.48%
70.6th percentile
A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | thinmanager_thinserver | — | — |
| rockwellautomation | thinmanager_thinserver | >= 11.1.0 < 11.1.8 | 11.1.8 |
| rockwellautomation | thinmanager_thinserver | >= 11.2.0 < 11.2.9 | 11.2.9 |
| rockwellautomation | thinmanager_thinserver | >= 12.0.0 < 12.0.7 | 12.0.7 |
| rockwellautomation | thinmanager_thinserver | >= 12.1.0 < 12.1.8 | 12.1.8 |
| rockwellautomation | thinmanager_thinserver | >= 13.0.0 < 13.0.5 | 13.0.5 |
| rockwellautomation | thinmanager_thinserver | >= 13.1.0 < 13.1.3 | 13.1.3 |
| rockwellautomation | thinmanager_thinserver | >= 13.2.0 < 13.2.2 | 13.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-7988 is remotely exploitable (AV:N) with no authentication required (PR:N) and no user interaction (UI:N) — monitor for unexpected inbound connections to ThinManager ThinServer service ports from untrusted/external hosts. ↗
- →Alert on unexpected file overwrites originating from the ThinServer service process, which may indicate exploitation of improper input validation leading to arbitrary file overwrite and RCE with SYSTEM privileges. ↗
- →Monitor ThinServer service for anomalous child processes or processes running as SYSTEM that were not expected, as successful exploitation results in arbitrary code execution with System privileges. ↗
- ·No known public exploitation has been reported as of the advisory publication date; threat hunting should still be prioritised given the CVSS v4 score of 9.3 and network-accessible attack vector. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation ThinManager ThinServer
cisa_ics·2024-08-29·CVSS 6.8
[MEDIUM] Rockwell Automation ThinManager ThinServer
ICS Advisory
##
Rockwell Automation ThinManager ThinServer
Release DateAugust 29, 2024
Alert CodeICSA-24-242-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: Rockwell Automation
- Equipment: ThinManager ThinServer
- Vulnerabilities: Improper Privilege Management, Incorrect Permission Assignment for Critical Resource, Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files and execute arbitrary code with system privileges.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automat
GHSA
GHSA-p997-wfmc-cvcj: A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code
ghsa_unreviewed·2024-08-26
CVE-2024-7988 [CRITICAL] CWE-20 GHSA-p997-wfmc-cvcj: A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code
A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-26
Published