Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the Rockwell Automation ThinManager® ThinServer™.
Fixes

Solution

Affected Product CVE First Known in software version Corrected in software version ( Available Here https://thinmanager.com/downloads/index.php ) ThinManager® ThinServer™ 2024-5988 2024-5989           11.1.0 11.2.0 12.0.0 12.1.0 13.0.0 13.1.0 13.2.0 11.1.8 https://thinmanager.com/downloads/index.php 11.2.9 https://thinmanager.com/downloads/index.php 12.0.7 https://thinmanager.com/downloads/index.php 12.1.8 https://thinmanager.com/downloads/index.php 13.0.5 https://thinmanager.com/downloads/index.php 13.1.3 https://thinmanager.com/downloads/index.php 13.2.2 https://thinmanager.com/downloads/index.php 2024-5990 11.1.0 11.2.0 12.0.0 12.1.0 13.0.0 13.1.0 11.1.8 https://thinmanager.com/downloads/index.php 11.2.9 https://thinmanager.com/downloads/index.php 12.0.7 https://thinmanager.com/downloads/index.php 12.1.8 https://thinmanager.com/downloads/index.php 13.0.4 https://thinmanager.com/downloads/index.php 13.1.2 https://thinmanager.com/downloads/index.php Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability. · Update to the corrected software versions via the ThinManager® Downloads Site https://thinmanager.com/downloads/index.php · Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers. · Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight


Workaround

No workaround given by the vendor.

History

Fri, 02 May 2025 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rockwellautomation:thinmanager:11.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:thinmanager:11.2.0:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:thinmanager:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:thinmanager:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:thinmanager:13.0.0:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:thinmanager:13.1.0:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:thinmanager:13.2.0:*:*:*:*:*:*:*
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 16 Sep 2024 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Rockwellautomation
Rockwellautomation thinmanager
Rockwellautomation thinserver
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:rockwellautomation:thinmanager:*:*:*:*:*:*:*:*
cpe:2.3:a:rockwellautomation:thinserver:*:*:*:*:*:*:*:*
Vendors & Products Rockwellautomation
Rockwellautomation thinmanager
Rockwellautomation thinserver
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Rockwell

Published:

Updated: 2025-08-27T20:42:59.534Z

Reserved: 2024-06-13T20:56:09.876Z

Link: CVE-2024-5989

cve-icon Vulnrichment

Updated: 2024-08-01T21:25:03.287Z

cve-icon NVD

Status : Modified

Published: 2024-06-25T16:15:25.363

Modified: 2024-11-21T09:48:42.330

Link: CVE-2024-5989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.