Resources > research

FP-2023-03 — ThinManager

ThinManager Thinserver.exe /api/documentation Endpoint Path Traversal Remote File Disclosure

Vendor / Product information

“Our ThinManager® thin client management software allows control and security in a sustainable and scalable platform regardless of the size of your industrial environment or number of facilities. The thin client architecture gives users the applications and tools familiar to them in a format that reduces management and maintenance costs while it increases security.”


Vulnerable program details

Details for tested products and versions:

Vendor: Rockwell Automation
Product: ThinManager
Component: Thinserver.exe
Version: 13.0 SP2

NOTE: Other versions than the one listed above are likely affected. The security advisory released by Rockwell reports versions 13.0.0 through 13.0.2 as vulnerable as well as ThinServer version 13.1.0.


Sven Krewitt, Flashpoint

Vulnerability details

Rockwell Automation ThinManager contains a flaw that allows traversing outside of a restricted path and allows a remote attacker to read files on the local file system with SYSTEM-level privileges.

Exploitation of this issue requires that API endpoints are enabled in the HTTPS server API settings, which are disabled by default.

The issue can be triggered when handling requests to the /api/documentation endpoint. By submitting a path containing a path traversal sequence (e.g. ‘../’), a remote attacker can read arbitrary files from the server’s file system with privileges of the server (NT AUTHORITY\SYSTEM).

Proof of concept

Enable API endpoints in the HTTPS Server Settings.

Use curl to send a specially crafted request to the endpoint

$ curl --path-as-is -k https://[serverIP]:8443/api/documentation/../../../../../../../windows/system.ini


The vulnerability is fixed in ThinManager version 13.0.3 and ThinServer version 13.1.1.


Flashpoint: FP-2023-003
VulnDB: 326476
CVE: CVE-2023-2913
Rockwell: PN1635


2023-04-04 Vulnerability discovered.
2023-04-14 Vulnerability reported to Rockwell Automation PSIRT
2023-04-25 Vendor response.
2023-07-18 Vulnerability published to VulnDB customers.
2023-07-19 Publication of this vulnerability report.