CVE-2024-10387 Rockwell Automation CVE debrief

Who should care

Organizations running Rockwell Automation FactoryTalk ThinManager in manufacturing, energy, water treatment, or other industrial environments. Security teams responsible for OT/ICS network segmentation and availability of thin client management infrastructure. Patch management teams coordinating vendor updates for industrial control systems.

Technical summary

The vulnerability exists in the message handling of FactoryTalk ThinManager. A threat actor with network access can send specially crafted messages to TCP port 2031, causing the ThinManager service to become unresponsive. The attack requires no authentication and has low complexity. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This represents a straightforward network-based DoS condition against critical industrial infrastructure components.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor patches from the FactoryTalk ThinManager download site for affected versions (11.2.0-11.2.9, 12.0.0-12.0.7, 12.1.0-12.1.8, 13.0.0-13.0.5, 13.1.0-13.1.3, 13.2.0-13.2.2, and 14.0.0)
• Implement network hardening by restricting TCP port 2031 access to only authorized devices that require ThinManager connectivity
• Follow Rockwell Automation's security best practices for industrial automation control systems
• Review CISA's ICS recommended practices for defense-in-depth strategies
• Monitor network traffic for anomalous connections to ThinManager systems on TCP 2031

Evidence notes

CISA published advisory ICSA-24-305-01 on 2024-10-31 with CVSS 3.1 score 7.5 (HIGH). The vulnerability is network-accessible with low attack complexity and no privileges required. Affected versions span ThinManager 11.2.0 through 14.0.0 across seven specific version ranges. Rockwell Automation has provided vendor fixes for all affected versions.

Official resources