CVE-2025-9065 is a high-severity vulnerability affecting Rockwell Automation's ThinManager software versions 13.0 through 14.0. The vulnerability is classified under CWE-610, which pertains to externally controlled references to resources in another sphere. Specifically, this issue arises from insufficient input sanitization in the ThinManager software, allowing authenticated attackers to specify external SMB (Server Message Block) paths. This leads to a server-side request forgery (SSRF) scenario where the ThinServer service attempts to access attacker-controlled SMB resources. As a result, the ThinServer service account's NTLM hash can be exposed to the attacker. NTLM hashes are sensitive authentication credentials that, if captured, can be used in relay or pass-the-hash attacks to escalate privileges or move laterally within a network. The vulnerability does not require user interaction but does require attacker authentication with high privileges (PR:H). The CVSS 4.0 score of 8.6 reflects the high impact on confidentiality, integrity, and availability, with network attack vector and low attack complexity. The vulnerability scope is high, indicating that exploitation can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. However, given the nature of the vulnerability and the critical role ThinManager plays in industrial environments for managing thin clients and terminal servers, this vulnerability poses a significant risk to operational technology (OT) environments and industrial control systems (ICS).

For European organizations, particularly those in industrial sectors such as manufacturing, energy, utilities, and critical infrastructure, this vulnerability presents a substantial risk. ThinManager is widely used in industrial automation to manage and secure thin clients and terminal servers, often interfacing with critical OT systems. Exploitation could lead to credential theft (NTLM hashes), enabling attackers to perform lateral movement, privilege escalation, and potentially disrupt industrial processes or cause downtime. The exposure of NTLM hashes could also facilitate further attacks on corporate IT networks connected to OT environments, bridging the gap between IT and OT security domains. This could result in operational disruptions, safety incidents, intellectual property theft, and regulatory non-compliance, especially under stringent European cybersecurity regulations such as NIS2 and GDPR. The lack of user interaction and network-based attack vector increases the likelihood of exploitation in environments where attackers have obtained valid credentials, such as through phishing or insider threats.

1. Immediate mitigation should include restricting access to ThinManager management interfaces to trusted administrators only, using network segmentation and strict access control lists (ACLs) to limit exposure. 2. Implement multi-factor authentication (MFA) for all ThinManager user accounts to reduce the risk of credential compromise. 3. Monitor network traffic for unusual SMB requests originating from ThinManager servers to detect potential exploitation attempts. 4. Employ network-level SMB traffic filtering and logging to identify and block unauthorized external SMB path requests. 5. Regularly audit and rotate service account credentials, especially the ThinServer service account, to limit the window of opportunity for attackers. 6. Apply principle of least privilege to service accounts and administrative users to minimize potential damage. 7. Stay alert for official patches or updates from Rockwell Automation and apply them promptly once available. 8. Conduct internal penetration testing and vulnerability assessments focusing on ThinManager deployments to identify and remediate exposure. 9. Educate administrators about the risks of SSRF and the importance of input validation and secure configuration in industrial software.