CVE-2023-2917
📋 TL;DR
CVE-2023-2917 is a critical path traversal vulnerability in Rockwell Automation ThinManager Thinserver that allows unauthenticated remote attackers to upload arbitrary files to any directory on the server. This can lead to remote code execution. Organizations using affected ThinManager versions are at risk.
💻 Affected Systems
- Rockwell Automation ThinManager Thinserver
📦 What is this software?
Thinmanager Thinserver by Rockwellautomation
Thinmanager Thinserver by Rockwellautomation
Thinmanager Thinserver by Rockwellautomation
Thinmanager Thinserver by Rockwellautomation
Thinmanager Thinserver by Rockwellautomation
Thinmanager Thinserver by Rockwellautomation
Thinmanager Thinserver by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, ransomware deployment, or disruption of industrial operations.
Likely Case
Unauthorized file upload leading to webshell installation, credential harvesting, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, application whitelisting, and least privilege controls are implemented.
🎯 Exploit Status
The vulnerability requires sending crafted synchronization protocol messages but does not require authentication, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 11.0.0 or later
Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140471
Restart Required: Yes
Instructions:
1. Download ThinManager version 11.0.0 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the ThinServer service.
🔧 Temporary Workarounds
Network Segmentation
allIsolate ThinManager servers from untrusted networks and implement strict firewall rules.
Disable Unnecessary Services
windowsDisable synchronization protocol if not required for operations.
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to ThinManager servers only from trusted sources.
- Deploy application whitelisting to prevent execution of unauthorized files that could be uploaded via this vulnerability.
🔍 How to Verify
Check if Vulnerable:
Check ThinManager version in application interface or Windows Programs and Features. Versions below 11.0.0 are vulnerable.Check Version:
Check ThinManager application interface or Windows Control Panel > Programs and FeaturesVerify Fix Applied:
Verify ThinManager version is 11.0.0 or higher and test that file upload attempts with path traversal payloads are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation events in ThinServer directories
- Failed or successful file upload attempts with suspicious filenames
- Synchronization protocol messages with path traversal patterns
Network Indicators:
- Unusual synchronization protocol traffic from untrusted sources
- File upload attempts to ThinServer port
SIEM Query:
source="ThinServer" AND (event="file_upload" OR event="sync_protocol") AND (filename CONTAINS "..\\" OR filename CONTAINS "../")