CVE-2024-7987 Rockwell Automation CVE debrief

Who should care

Organizations operating Rockwell Automation ThinManager ThinServer in industrial environments, particularly manufacturing, process control, and critical infrastructure sectors. System administrators, OT security teams, and asset owners responsible for thin client management infrastructure should prioritize patching.

Technical summary

CVE-2024-7987 is a remote code execution vulnerability in Rockwell Automation ThinManager ThinServer. The vulnerability exists in the ThinServer service and can be exploited by creating a junction to upload arbitrary files, resulting in arbitrary code execution with System privileges. The attack requires local access with low privileges but no user interaction. Affected versions span multiple release branches: 11.1.0 through 11.1.6, 11.2.0 through 11.2.7, 12.0.0 through 12.0.5, 12.1.0 through 12.1.6, 13.0.0 through 13.0.3, 13.1.0 through 13.1.1, and 13.2.0. Rockwell Automation has released security updates to address this vulnerability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade ThinManager ThinServer to a patched version: 11.1.8 or later for 11.1.x, 11.2.9 or later for 11.2.x, 12.0.7 or later for 12.0.x, 12.1.8 or later for 12.1.x, 13.0.5 or later for 13.0.x, 13.1.3 or later for 13.1.x,
• Apply Rockwell Automation security best practices to minimize exposure
• Review and implement ICS recommended practices from CISA for defense-in-depth
• Monitor for unauthorized file uploads or junction creation attempts on ThinServer systems
• Restrict local access to ThinServer systems to authorized administrators only

Evidence notes

The vulnerability description and affected product versions are derived from CISA CSAF advisory ICSA-24-242-01. The CVSS vector indicates local attack vector with low attack complexity, requiring low privileges but no user interaction, with high impact on confidentiality, integrity, and availability.

Official resources