CVE-2023-27855

In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
RockwellCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
rockwellautomationthinmanager
6.0.0 ≤
𝑥
≤ 10.0.2
rockwellautomationthinmanager
11.0.0 ≤
𝑥
≤ 11.0.5
rockwellautomationthinmanager
11.1.0 ≤
𝑥
≤ 11.1.5
rockwellautomationthinmanager
11.2.0 ≤
𝑥
≤ 11.2.6
rockwellautomationthinmanager
12.0.0 ≤
𝑥
≤ 12.0.4
rockwellautomationthinmanager
12.1.0 ≤
𝑥
≤ 12.1.5
rockwellautomationthinmanager
13.0.0
rockwellautomationthinmanager
13.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640