There is a new warning, an advisory, from CISA about Rockwell Automation ThinManager software. This is serious stuff, so listen up.
Big Problems Found in Rockwell ThinManager
CISA released the advisory ICSA-25-119-01 on April 29, 2025. It talks about two vulnerabilidades – problems – in ThinManager. This software is used a lot in factories, plants, you know, industrial control places, to manage the screens operators use (thin clients).
These problems are high-severity. One is called CVE-2025-3618. It’s about how ThinManager handles certain messages (“Type 18”). An attacker, even remotely and without needing a password, can send a bad message. This message makes the ThinManager server check memory wrong (Improper Memory Bounds Check) and it can crash. This is a Denial-of-Service (DoS) – it stops the service from working. Imagine, the operators cannot see or control the machines!. Very bad for production and maybe safety.
The second problem is CVE-2025-3617. This one is about file permissions. When ThinManager starts, it messes up permissions in a temporary folder. It deletes files, and the folder gets permissions from its parent directory, which might be too open. An attacker who already has some access to the computer (local access, low privilege) can use this mistake to get much higher privileges, like administrator or SYSTEM level. This is Privilege Escalation. If an attacker gets this power, they can control the ThinManager server, change things, maybe attack other systems.
Who is affected? If you use ThinManager version 14.0.0 or any older version, you have these problems. Rockwell says even v14.0.1 is affected too. So, basically, most versions before the fix need attention.
Why This Matters for OT (Operational Technology)
In the industrial world (OT), ThinManager is critical.
- Stopping Operations: The DoS attack (CVE-2025-3618) can shut down the ThinManager server. This means operator screens (HMIs) go blank. Production can stop, and maybe safety is at risk if operators can’t see warnings. Because this attack can come from the network without login, it’s a big risk if the server is not protected.
- Taking Control: The privilege escalation (CVE-2025-3617) lets an attacker with basic access become the boss of the ThinManager server. They could show fake information to operators, change settings, or use the server to attack other important control systems. This needs local access first, but it’s a powerful step for an attacker already inside.
What Should You Do? (¡Acción!)
Rockwell and CISA give good advice. Is important you do this:
- Update! Patch!: This is number one. Rockwell released ThinManager v14.0.2 which fixes both problems. If you use older versions, they also released patches for the DoS bug (CVE-2025-3618) in versions like v11.2.11, 12.0.9, 13.1.5, and 13.2.4. Get the update for your version as soon as possible.
- Harden Your System: Follow Rockwell’s security tips for ThinManager. Use strong passwords, give users only the permissions they need (least privilege). Make sure file permissions are correct to help stop the privilege escalation bug.
- Protect the Network: CISA says minimize network exposure. Put ThinManager behind firewalls. Don’t connect it directly to the internet or business networks if you don’t need to. Control who can access it using IP addresses. If you need remote access, use secure VPNs.
- Watch and Prepare: Monitor the ThinManager system and network traffic. Look for strange things. Right now, no one knows of public exploits for these CVEs, but bad guys might make them soon. Have an incident response plan. Know what to do if ThinManager stops working. Have backups.
Conclusion
These are serious vulnerabilities in a key industrial system. The DoS can stop operations, and the privilege escalation can give attackers control. The good news is patches are available. But is important to act fast – update your systems, secure your network, and be prepared. Stay safe out there, amigos.
CISA Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-119-01
Javiertech 
Leave a comment