CVE-2024-7987 in ThinManager ThinServerinfo

Summary

by MITRE • 08/26/2024

A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServer™ that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/21/2025

The vulnerability identified as CVE-2024-7987 represents a critical remote code execution flaw within Rockwell Automation's ThinManager® ThinServer™ software, which operates as a remote desktop and application virtualization platform widely deployed in industrial control systems and critical infrastructure environments. This vulnerability stems from insufficient input validation and improper privilege handling within the ThinServer™ service, creating an exploitable condition that enables remote attackers to gain system-level access. The flaw specifically manifests when the service processes file junction operations, allowing malicious actors to manipulate the system's file structure through crafted junction points that subsequently facilitate arbitrary file uploads.

The technical exploitation of this vulnerability follows a precise sequence that begins with the creation of a symbolic junction point within the ThinServer™ service framework, followed by the upload of malicious payloads through this manipulated file system interface. This approach leverages the service's inherent trust in local file operations while bypassing standard security controls that would normally prevent unauthorized file system modifications. The vulnerability is classified under CWE-78, which addresses OS command injection, and CWE-22, which covers improper limitation of a pathname to a restricted directory, indicating that the flaw involves both path traversal and command execution capabilities. The exploitation mechanism aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1078.002 for valid accounts, as attackers must establish a foothold through legitimate service interactions before executing malicious code with elevated privileges.

The operational impact of CVE-2024-7987 extends beyond typical remote code execution scenarios due to the industrial control system environment where ThinManager® ThinServer™ is deployed. This vulnerability poses significant risks to operational technology infrastructure, potentially allowing attackers to compromise entire industrial networks through a single vulnerable endpoint. The system-level privileges granted through exploitation mean that attackers can manipulate critical system configurations, access sensitive operational data, and potentially cause physical damage to industrial processes. Organizations using this software in manufacturing, energy, or other critical sectors face heightened risk of supply chain attacks and nation-state targeting due to the high-value nature of the compromised systems. The vulnerability's remote exploitability without authentication creates a particularly dangerous scenario where attackers can target these systems from external networks without requiring physical access or prior compromise of other network segments.

Mitigation strategies for CVE-2024-7987 should prioritize immediate patching of affected ThinManager® ThinServer™ installations through Rockwell Automation's official security updates, as the vendor has likely released specific fixes for this vulnerability. Network segmentation and firewall rules should be implemented to restrict access to ThinServer™ services to only authorized personnel and systems, effectively limiting the attack surface. Monitoring for suspicious file creation and junction point manipulation activities should be enabled through security information and event management systems, with alerts configured for anomalous behavior in the ThinServer™ service operations. Additionally, implementing principle of least privilege for ThinServer™ service accounts and conducting regular security assessments of industrial control system environments can help reduce the overall risk exposure. Organizations should also consider implementing network-based intrusion detection systems specifically tuned to detect the exploitation patterns associated with this vulnerability, as well as establishing incident response procedures that account for the unique challenges posed by industrial control system compromises.

Reservation

08/19/2024

Disclosure

08/26/2024

Moderation

accepted

CPE

ready

EPSS

0.00316

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!