CVE-2025-9065
EUVD-2025-2724909.09.2025, 13:15
A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| rockwellautomation | thinmanager | 13.0.0 ≤ 𝑥 ≤ 14.0.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-610 - Externally Controlled Reference to a Resource in Another SphereThe product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
- CWE-918 - Server-Side Request Forgery (SSRF)The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.