PatchSiren cyber security CVE debrief
CVE-2024-5989 Rockwell Automation CVE debrief
CVE-2024-5989 is a critical vulnerability in Rockwell Automation ThinManager ThinServer, published on July 11, 2024. The flaw stems from improper input validation, allowing an unauthenticated attacker to send a malicious message that triggers SQL injection and results in remote code execution on the affected device. The vulnerability carries a CVSS 3.1 score of 9.8 (Critical), reflecting network-based attack vector, low attack complexity, no required privileges or user interaction, and high impact across confidentiality, integrity, and availability. Affected versions span ThinManager ThinServer 11.1.0 through 13.2.0. Rockwell Automation has released corrected versions: 11.1.8, 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, and 13.2.2. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the advisory date.
- Vendor
- Rockwell Automation
- Product
- ThinManager ThinServer
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-11
- Original CVE updated
- 2024-07-11
- Advisory published
- 2024-07-11
- Advisory updated
- 2024-07-11
Who should care
Organizations operating Rockwell Automation ThinManager ThinServer in manufacturing, industrial automation, and critical infrastructure environments. Security teams responsible for OT/ICS network segmentation and patch management. System integrators and managed service providers supporting ThinManager deployments.
Technical summary
The vulnerability exists in ThinManager ThinServer's handling of input validation. An unauthenticated remote attacker can craft a malicious message that exploits improper input validation to perform SQL injection. This SQL injection capability can be leveraged to achieve remote code execution on the affected ThinServer device. The attack requires network access to the ThinServer, specifically TCP port 2031, with no authentication credentials needed. The vulnerability affects multiple major versions from 11.1.0 through 13.2.0, indicating broad exposure across deployed infrastructure.
Defensive priority
critical
Recommended defensive actions
- Apply the corrected ThinManager ThinServer versions (11.1.8, 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, or 13.2.2) from the ThinManager Downloads Site.
- Restrict network access to TCP port 2031, limiting connections to known thin clients and ThinManager servers only.
- Review and implement Rockwell Automation's security best practices for industrial control systems.
- Monitor for unauthorized access attempts or anomalous activity on ThinManager ThinServer systems, particularly on TCP port 2031.
- Prioritize patching for internet-facing or remotely accessible ThinManager deployments due to unauthenticated exploitation path.
Evidence notes
Vulnerability details and remediation guidance are derived from CISA ICS Advisory ICSA-24-193-18, published July 11, 2024. CVSS vector confirmed as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Affected product versions and patched releases explicitly listed in vendor remediation section.
Official resources
-
CVE-2024-5989 CVE record
CVE.org
-
CVE-2024-5989 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-11