Skip to main content
CVE Vulnerability Database

CVE-2025-9065: Rockwell ThinManager SSRF Vulnerability

CVE-2025-9065 is a server-side request forgery flaw in Rockwell Automation ThinManager that allows authenticated attackers to expose NTLM hashes. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-9065 Overview

CVE-2025-9065 is a server-side request forgery (SSRF) vulnerability in Rockwell Automation ThinManager® software. The flaw stems from missing input sanitization on path parameters processed by the ThinServer® service. Authenticated attackers can specify external Server Message Block (SMB) paths, coercing the service to authenticate to attacker-controlled hosts. This action exposes the ThinServer® service account NTLM hash, which adversaries can capture for offline cracking or relay attacks. The vulnerability maps to CWE-918 (SSRF) and CWE-610 (Externally Controlled Reference to a Resource).

Critical Impact

Authenticated attackers can leak the ThinServer® service account NTLM hash by forcing SMB authentication to attacker-controlled hosts, enabling credential theft and lateral movement into operational technology environments.

Affected Products

  • Rockwell Automation ThinManager®
  • ThinServer® service component
  • Industrial endpoints managed via ThinManager thin clients

Discovery Timeline

  • 2025-09-09 - CVE-2025-9065 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9065

Vulnerability Analysis

The vulnerability resides in the request handling logic of the ThinServer® service, which processes path inputs without sufficient sanitization. An authenticated user can submit Universal Naming Convention (UNC) paths that point to external SMB shares instead of local resources. When the service attempts to resolve these paths, the underlying Windows networking stack initiates an SMB session and performs NTLM authentication using the ThinServer® service account credentials. An attacker controlling the destination host can capture the NTLMv2 challenge-response exchange.

Captured hashes enable two follow-on attacks. First, attackers can perform offline cracking against the hash to recover the plaintext password. Second, attackers can relay the authentication to other internal services that accept NTLM, potentially elevating privileges within the operational technology (OT) network. Because ThinServer® typically runs with elevated privileges to manage thin clients, recovered credentials carry significant access.

Root Cause

The root cause is missing input validation on resource path parameters. The application accepts arbitrary UNC paths and resolves them through the operating system without restricting destinations to allowlisted local or trusted shares.

Attack Vector

Exploitation requires authenticated network access to the ThinManager interface. The attacker submits a crafted request containing a UNC path pointing to an SMB listener on an external host. The ThinServer® service connects outbound and authenticates, transmitting the NTLM hash. No user interaction is required beyond the initial authenticated session.

Verified exploitation code is not publicly available. See the Rockwell Automation Security Advisory SD1743 for vendor technical details.

Detection Methods for CVE-2025-9065

Indicators of Compromise

  • Outbound SMB connections (TCP/445 or TCP/139) originating from ThinManager servers to untrusted or external IP addresses
  • NTLM authentication events from the ThinServer® service account targeting hosts outside the expected administrative scope
  • ThinManager application logs containing UNC paths referencing unfamiliar hostnames or IP literals
  • Unexpected DNS lookups from the ThinManager host for external domains

Detection Strategies

  • Inspect ThinManager request logs for path parameters containing \\ followed by external hostnames or IP addresses
  • Correlate Windows Security Event ID 4648 (explicit credential logon) from the ThinServer® service account against destination addresses
  • Deploy network detection rules that flag SMB traffic from OT management servers crossing security zone boundaries

Monitoring Recommendations

  • Monitor authentication telemetry for the ThinServer® service account, focusing on logon destinations outside approved infrastructure
  • Alert on any egress SMB traffic from ThinManager hosts, which should normally remain within the OT segment
  • Track configuration changes to ThinManager that introduce new path references or external resource definitions

How to Mitigate CVE-2025-9065

Immediate Actions Required

  • Apply the patched ThinManager® version identified in Rockwell Automation Advisory SD1743
  • Audit and rotate the ThinServer® service account password, assuming exposure if the patch was not previously applied
  • Restrict ThinManager administrative access to a minimal set of authenticated operators
  • Review ThinManager logs for prior abuse of UNC path inputs

Patch Information

Rockwell Automation has published fixed versions in security advisory SD1743. Refer to the vendor advisory for the specific fixed builds and upgrade guidance.

Workarounds

  • Block outbound SMB traffic (TCP/445, TCP/139) from ThinManager servers at the host firewall and network perimeter
  • Enforce SMB signing and disable NTLM authentication where operationally feasible to limit hash relay value
  • Run the ThinServer® service under a least-privilege account with no rights to other domain resources
  • Segment ThinManager servers into a restricted OT zone with no direct egress to untrusted networks
bash
# Example: block outbound SMB from a ThinManager host using Windows Firewall
netsh advfirewall firewall add rule name="Block Outbound SMB 445" \
  dir=out action=block protocol=TCP remoteport=445
netsh advfirewall firewall add rule name="Block Outbound SMB 139" \
  dir=out action=block protocol=TCP remoteport=139

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.