CVE-2025-9065
📋 TL;DR
This CVE describes a server-side request forgery (SSRF) vulnerability in Rockwell Automation ThinManager software where authenticated attackers can force the server to make requests to external SMB shares. This exposes the ThinServer service account's NTLM hash, potentially enabling credential theft and lateral movement. Organizations using affected ThinManager versions are at risk.
💻 Affected Systems
- Rockwell Automation ThinManager
📦 What is this software?
Thinmanager by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal service account credentials, gain domain persistence, move laterally across the network, and potentially compromise critical industrial control systems.
Likely Case
Attackers capture NTLM hashes, crack them offline, gain access to the service account, and use those credentials for further network reconnaissance and privilege escalation.
If Mitigated
With proper network segmentation and credential protection, impact is limited to the isolated ThinManager system without lateral movement capabilities.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once credentials are obtained. The vulnerability leverages improper input validation of SMB paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ThinManager 11.2.1 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1743.html
Restart Required: Yes
Instructions:
1. Download ThinManager 11.2.1 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart the ThinManager server. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict ThinManager server's outbound SMB connections to prevent hash capture
Configure firewall rules to block outbound SMB (TCP 445) from ThinManager server
Credential Hardening
windowsUse dedicated service account with minimal privileges and enable NTLM auditing
Set-ADAccountControl -Identity 'ThinServerAccount' -CannotChangePassword $false -PasswordNeverExpires $false
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ThinManager from other systems
- Monitor for unusual SMB outbound connections from the ThinManager server
🔍 How to Verify
Check if Vulnerable:
Check ThinManager version in the application interface or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Rockwell Software\ThinManager\VersionCheck Version:
reg query "HKLM\SOFTWARE\Rockwell Software\ThinManager" /v VersionVerify Fix Applied:
Verify ThinManager version is 11.2.1 or higher and test that external SMB paths are rejected📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts to ThinManager
- Unusual SMB connection attempts from ThinManager server
- ThinManager service account authentication from unexpected sources
Network Indicators:
- Outbound SMB connections from ThinManager server to external IPs
- NTLM authentication traffic from ThinManager service account
SIEM Query:
source="ThinManager" AND (event_id=4625 OR event_id=4776) OR dest_port=445 AND src_ip="ThinManager_IP"