CVE-2024-10386 Overview
CVE-2024-10386 is an authentication vulnerability affecting Rockwell Automation ThinManager. A threat actor with network access can send crafted messages to the device, potentially resulting in database manipulation. The flaw is tracked under [CWE-306: Missing Authentication for Critical Function] and impacts the ThinManager server component used to manage thin clients in industrial control system (ICS) environments.
Rockwell Automation published advisory SD1708 to address the issue. The vulnerability is network-exploitable without prior authentication or user interaction, exposing the management database to unauthorized modification by remote attackers.
Critical Impact
Unauthenticated attackers with network reachability to ThinManager can manipulate the backing database, undermining the integrity of thin client management in operational technology environments.
Affected Products
- Rockwell Automation ThinManager 11.2.x through earlier patched releases
- Rockwell Automation ThinManager 13.x prior to vendor-fixed builds
- Rockwell Automation ThinManager 14.0.0
Discovery Timeline
- 2024-10-25 - CVE-2024-10386 published to NVD
- 2024-11-05 - Last updated in NVD database
Technical Details for CVE-2024-10386
Vulnerability Analysis
The vulnerability is rooted in missing authentication for a critical function exposed by the ThinManager service. A remote attacker can reach the network-facing management interface and submit crafted protocol messages that the service processes without verifying the sender's identity. Because ThinManager governs thin client provisioning, configuration, and runtime state in industrial environments, database manipulation can disrupt operator workstations across a plant floor.
The attack vector is network-based and requires no privileges or user interaction. The vulnerability affects confidentiality, integrity, and availability of ThinManager data. Successful exploitation does not pivot beyond the ThinManager scope, but the integrity loss within that scope is severe because ThinManager databases store the configuration of every managed terminal.
The EPSS probability is 3.402% at the 87th percentile, indicating elevated exploitation likelihood relative to most CVEs. No public proof-of-concept exploit is currently listed, and CISA has not added the entry to its Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is the absence of an authentication check on a ThinManager network function that performs database operations. The service accepts and acts on crafted messages from unauthenticated peers, treating network reachability as sufficient authorization.
Attack Vector
An attacker positioned on a network segment that can reach the ThinManager server's listening service crafts protocol messages targeting the vulnerable handler. The handler processes the request and applies database changes without validating the caller. In flat OT networks where ThinManager is reachable from engineering or business VLANs, the exposure is significant.
No verified exploit code has been published. Refer to the Rockwell Automation Security Advisory SD1708 for vendor technical details.
Detection Methods for CVE-2024-10386
Indicators of Compromise
- Unexpected modifications to ThinManager configuration entries, terminal definitions, or display client assignments without a corresponding administrator session.
- Inbound TCP connections to ThinManager service ports originating from hosts outside the documented administration subnet.
- Anomalous ThinManager process activity correlated with database write operations during non-maintenance windows.
Detection Strategies
- Baseline normal administrative traffic to ThinManager and alert on connections from previously unseen source addresses or user-agents.
- Monitor ThinManager logs and underlying database transaction logs for additions, deletions, or edits not tied to an authenticated console session.
- Deploy network intrusion detection signatures on ICS DMZ boundaries to flag malformed or unauthenticated protocol messages directed at ThinManager.
Monitoring Recommendations
- Centralize ThinManager server, host operating system, and network flow logs into the SIEM for correlation across OT and IT boundaries.
- Track service restarts, configuration export events, and changes to terminal group membership as high-value telemetry.
- Review firewall logs for any traffic to ThinManager ports from outside approved engineering workstations.
How to Mitigate CVE-2024-10386
Immediate Actions Required
- Inventory all ThinManager servers, including version 14.0.0 and earlier maintenance branches, and identify network exposure.
- Apply the fixed versions published in Rockwell Automation advisory SD1708 as soon as change-control windows allow.
- Restrict ThinManager service ports to a dedicated management VLAN reachable only from authorized engineering workstations.
Patch Information
Rockwell Automation has released fixed builds for affected ThinManager branches. Consult the Rockwell Automation Security Advisory SD1708 for the specific version numbers that contain the authentication fix and follow the documented upgrade procedure.
Workarounds
- Place ThinManager servers behind an ICS firewall and block inbound traffic from non-engineering segments using deny-by-default rules.
- Enforce network segmentation between corporate IT and the OT zone hosting ThinManager, following the Purdue model.
- Disable or remove ThinManager instances that are no longer required for production thin client operation.
# Example firewall rule restricting ThinManager access to an engineering subnet
iptables -A INPUT -p tcp --dport 2031 -s 10.20.30.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 2031 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

