Cyber Resilience

CVE-2023-27856

High

Published: 22 March 2023

Published
22 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.4820 97.8th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27856 is a high-severity Path Traversal (CWE-22) vulnerability in Rockwellautomation Thinmanager. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

In Rockwell Automation's ThinManager ThinServer, a path traversal vulnerability exists when processing a message of type 8. The flaw resides in the ThinServer.exe component and is tracked as CWE-22, carrying a CVSS 3.1 score of 7.5 that reflects network attackability without authentication or user interaction.

An unauthenticated remote attacker can send a crafted message of type 8 to retrieve arbitrary files from the disk drive on which ThinServer.exe is installed, exposing sensitive data with high confidentiality impact.

Vendor advisories published at https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640 provide official guidance on the issue. The associated EPSS score rose from lower values to a peak of 0.5473 before receding to the current 0.4820.

EU & UK References

Vulnerability details

In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rockwellautomation
thinmanager
13.0.0, 13.0.1 · 6.0.0 — 10.0.2 · 11.0.0 — 11.0.5 · 11.1.0 — 11.1.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References