Critical Security Alert: If you are an organization using Rockwell’s ThinManager software version 13.0 or below, you are vulnerable. If you cannot upgrade immediately, please scroll to the section on compensating controls below and contact our team without delay.
On September 9, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical advisory for a high-severity Server-Side Request Forgery (SSRF) vulnerability in Rockwell Automation’s ThinManager software.
The severity of this Common Vulnerabilities and Exposures (CVE) entry lies in the wide spectrum of end-users affected. It spans both Critical National Infrastructure and Critical Manufacturing sectors.
In Critical National Infrastructure, sectors such as energy and utilities, oil and gas, water and wastewater treatment, and transportation are most at risk. Power plants, pipeline operations, Supervisory Control and Data Acquisition (SCADA) systems, and even rail and airport infrastructure all rely heavily on ThinManager.
In Critical Manufacturing, the potential impact extends to automotive assembly lines, petrochemical process control systems, food and beverage production automation, pharmaceutical batch control, electronics and semiconductor testing, and metals and mining operations.
This Needs Urgent Attention
Enterprises in these sectors cannot afford to overlook this SSRF flaw in critical digital systems. High-privilege Operational Technology (OT) applications like ThinManager often run with elevated privileges, making successful exploitation particularly dangerous.
Additionally, SSRF exploits can bypass network segmentation controls, allowing attackers to use compromised servers as stepping-stones to access other segments through lateral movement. Enterprises that have enabled Information Technology–Operational Technology (IT-OT) connectivity are particularly vulnerable. An attacker moving from OT to IT is not common, but with this flaw, it becomes a very real possibility.
Vulnerability Details
This vulnerability, identified as CVE-2025-9065, affects ThinManager versions 13.0 through 14.0. It allows an authenticated attacker to coerce the server into exposing the NT LAN Manager (NTLM) credentials of its high-privilege service account.
Rockwell Automation ThinManager, a thin client management software widely used in manufacturing and industrial environments, manages thin clients, remote terminals, and session brokering for operator workstations.
The most significant risk is the exposure of the ThinServer service account’s NTLM hash. This cryptographic representation of the service account password can be used in various attacks, including:
- Pass-the-Hash Attacks: Using the stolen hash to authenticate to other systems without knowing the actual password.
- NTLM Relay Attacks: Using the hash to authenticate to third-party systems.
- Offline Password Cracking: Attempting to crack the hash to recover the plaintext password.
Exploit Mechanism
- Crafting: The attacker crafts a malicious Server Message Block (SMB) path pointing to a controlled server.
- Coercion: ThinServer initiates an outbound SMB connection to the attacker’s server, bypassing firewall restrictions.
- Authentication: The NTLM challenge/response exposes the service account hash.
Breach Readiness Alert: Credential theft can lead to:
- Lateral Movement: Network traversal using stolen credentials.
- Privilege Escalation: Elevated access to critical systems.
- Network Discovery: Internal network mapping and reconnaissance.
Recommended Actions
Primary Remediation:
A patch is available. Rockwell Automation has released ThinManager v14.1, which addresses the SSRF vulnerability. This is the most effective and recommended solution.
ColorTokens recommends that affected organizations immediately upgrade to ThinManager v14.1 or later and rotate the service account password after upgrading to invalidate any potentially captured NTLM hashes.
Compensating Controls:
For organizations unable to immediately upgrade, the following compensating controls can reduce risk:
- Deploy ColorTokens Xshield Gatekeeper to isolate digital industrial systems that are difficult to upgrade as per Rockwell’s guidelines, while still allowing essential communications for normal operations.
- Adopt PureAuth, a digital certificate–based authentication solution, to ensure Zero Trust authentication is in place and defend against credential-stuffing attacks, especially for service accounts.
Both of these controls are swift and seamless to adopt.
Next Steps
Cyber threats targeting industrial and critical infrastructure environments demand proactive defense. If your organization is impacted by CVE-2025-9065 or wants to strengthen breach readiness, ColorTokens can help.
Get in touch with one of our top advisors and know how we can safeguard your digital operations.
