CVE-2024-5988 Rockwell Automation CVE debrief

Who should care

Organizations running Rockwell Automation ThinManager ThinServer in industrial environments, particularly manufacturing, energy, and critical infrastructure sectors where ThinManager is deployed for centralized thin client management. Security teams responsible for OT/ICS network segmentation and patch management should prioritize this vulnerability due to its unauthenticated nature and critical severity.

Technical summary

CVE-2024-5988 is a critical vulnerability (CVSS 9.8) in Rockwell Automation ThinManager ThinServer affecting versions 11.1.0 through 13.2.0. The flaw stems from improper input validation that allows an unauthenticated remote attacker to send a crafted malicious message to invoke local or remote executables, resulting in remote code execution on the affected device. The vulnerability is network-accessible and requires no authentication, making it trivially exploitable. The ThinServer component listens on TCP port 2031, which should be considered a high-risk attack surface. Rockwell Automation has released patched versions across all affected release branches.

Defensive priority

CRITICAL

Recommended defensive actions

• Update ThinManager ThinServer to corrected versions: 11.1.8, 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, or 13.2.2 via the ThinManager Downloads Site
• Restrict network access to TCP port 2031, limiting connections to known thin clients and ThinManager servers only
• Apply Rockwell Automation's security best practices for industrial control systems
• Monitor for unauthorized connection attempts to TCP port 2031

Evidence notes

CISA published advisory ICSA-24-193-18 on July 11, 2024, documenting this vulnerability with CVSS 3.1 score of 9.8. The advisory confirms unauthenticated remote code execution via improper input validation on TCP port 2031. Rockwell Automation has released corrected versions for all affected branches.

Official resources