By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: ColorTokensPublished September 12, 2025

TL;DR: CISA’s advisory on CVE-2025-9065 describes an authenticated SSRF flaw in Rockwell Automation ThinManager that can expose a high-privilege service account’s NTLM credentials, creating pass-the-hash, relay, and lateral-movement risk across OT and IT-connected environments, according to ColorTokens. The issue shows how service-account trust assumptions and network segmentation can fail together when OT systems expose credentials over outbound connections.


At a glance

What this is: This is an analysis of a ThinManager SSRF vulnerability that can expose a high-privilege service account’s NTLM hash and enable credential abuse in OT environments.

Why it matters: It matters because OT identity exposures can become enterprise-wide movement paths, especially where service accounts, segmentation, and IT-OT connectivity are already tightly coupled.

By the numbers:

👉 Read ColorTokens's analysis of CVE-2025-9065 and ThinManager NTLM exposure


Context

CVE-2025-9065 is a server-side request forgery issue in ThinManager that can coerce the server into making outbound SMB connections and exposing NTLM credentials. In practical identity terms, this is not just an application bug. It is a service-account exposure event in an OT control plane where the credential itself can become the path into adjacent systems.

The governance problem is familiar across NHI programmes, even if the environment is industrial rather than cloud-native. High-privilege service accounts are often trusted to move silently across boundaries, and SSRF turns that trust into a credential-harvesting path that can bypass segmentation and expand laterally into IT-connected assets.

For OT operators, the starting position is typical rather than exceptional: legacy trust, elevated service accounts, and patching constraints often coexist. That combination makes the exposure especially relevant to IAM, PAM, and network segmentation owners who are responsible for machine identities that were never designed for hostile outbound communication.


Key questions

Q: What fails when an OT service account can be coerced into authenticating outward?

A: The failure is not only credential exposure. The deeper issue is that the service account becomes a reusable identity artifact outside its intended trust boundary, which can enable pass-the-hash or relay abuse. In OT, that often means an attacker can turn one server-side flaw into broader access across management and control systems.

Q: Why do OT service accounts increase lateral movement risk after SSRF exposure?

A: They often carry broad privileges and are trusted across multiple systems, segments, or management planes. If their NTLM material is exposed, the attacker may not need to compromise a second host at all. The account itself can become the bridge from one zone to another.

Q: How do security teams measure whether OT machine identities are too exposed?

A: Look for service accounts that authenticate across more than one segment, authenticate outbound without a clear operational reason, or remain active after their original use case has changed. If one account can move between zones, the governance model is already wider than the risk appetite.

Q: Who is accountable when a privileged OT service account is exposed through SSRF?

A: Accountability usually spans application owners, OT operations, IAM, and network security because the failure crosses software, identity, and segmentation boundaries. The practical question is whether anyone owns the service account lifecycle end to end, including password rotation, scope reduction, and offboarding.


Technical breakdown

How SSRF turns an OT server into a credential relay point

Server-side request forgery lets an attacker make a vulnerable server send outbound requests to an attacker-controlled destination. In this case, ThinManager can be induced to initiate an SMB connection, which is significant because SMB authentication can reveal NTLM challenge-response material tied to a high-privilege service account. The vulnerability matters less as a web flaw and more as a trust-bypass mechanism: the server itself becomes the transport for credential exposure. Once an OT application can be manipulated into authenticating externally, network boundaries no longer protect the secret embedded in the account.

Practical implication: inspect OT applications for unsolicited outbound authentication paths and block them at the egress layer where possible.

Why NTLM hashes create pass-the-hash and relay exposure

An NTLM hash is not a password reset token or a benign identifier. It is a reusable credential artifact that can sometimes authenticate to other systems without recovering the plaintext password. That creates multiple abuse paths: pass-the-hash, NTLM relay, and offline cracking. In industrial environments, the danger is amplified because a single service account often has broad operational reach. If that account is shared, stale, or over-privileged, one exposed hash can become a reusable control-plane credential across several systems and sessions.

Practical implication: treat service-account hashes as live credentials and scope them as tightly as any privileged operator account.

Why IT-OT connectivity changes lateral movement risk

SSRF is especially dangerous when the vulnerable system sits between OT and IT or has paths into both. Once an attacker can leverage the service account for authentication, lateral movement no longer depends on remote code execution on the target itself. It depends on where the stolen credential already has trust. In mixed environments, segmentation can be bypassed if the credential is valid across connected segments or management planes. That is why the issue is not isolated to one device family. It exposes the identity assumptions that make cross-domain access possible.

Practical implication: map where OT service accounts can authenticate and remove cross-segment trust that is not operationally required.


Threat narrative

Attacker objective: The attacker wants reusable privileged identity material that can open broader access to industrial and connected enterprise systems.

  1. Entry occurs when an authenticated attacker crafts an SMB path that forces ThinManager to connect to an attacker-controlled server and expose NTLM material.
  2. Escalation follows when the captured service-account hash is reused for pass-the-hash, NTLM relay, or offline recovery of the underlying secret.
  3. Impact lands as lateral movement into adjacent OT or IT-connected systems where the service account already has privileged reach.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Standing service-account trust is the control assumption this flaw exploits. OT programmes often assume a service account can be trusted because it belongs to infrastructure, not a user. CVE-2025-9065 shows that assumption fails when the application can be coerced into exposing NTLM material outside the intended boundary. The implication is that machine identity trust must be anchored in observable execution paths, not in the belief that service accounts are inherently safe.

Credential exposure windows in OT are wider than many IAM teams model. Patch latency, maintenance windows, and production continuity constraints keep privileged accounts live longer than the risk model usually expects. When an SSRF flaw can leak a reusable hash, the problem is not just theft but the fact that the identity remains valid after exposure. Practitioners need to think in terms of exposure persistence, not just initial compromise.

Network segmentation does not compensate for over-broad service-account reach. The flaw matters because the credential can cross boundaries that the network team believed were separated. If one account can authenticate to multiple zones, segmentation can be bypassed through identity rather than protocol tunnelling. The practical conclusion is that OT segmentation and service-account scoping must be designed together, not owned as separate controls.

OT identity governance needs a distinct NHI failure concept: service-account relay exposure. This is not generic credential theft. It is a pattern where an industrial application is tricked into relaying its own privileged authentication material. That pattern should be tracked as a specific governance failure in NHI and PAM programmes because it reveals where an account can be made to speak on behalf of the attacker.

Patch availability does not remove the governance obligation created by the exposed hash. Even when a fixed version exists, the question remains whether the captured service account is still active, still shared, or still trusted across connected systems. The broader lesson is that remediation must include identity invalidation, not just software replacement.

From our research:

What this signals

Service-account exposure in OT should now be treated as an identity governance problem, not only an application vulnerability. ThinManager-style SSRF issues show that the attack surface is the combination of software behavior, account privilege, and outbound trust. Teams should expect more cases where the credential is the real asset at risk, which means OT programme owners need lifecycle visibility into machine identities as well as patch status.

Identity blast radius is the right metric for connected OT environments. Once a privileged service account can traverse segments, the relevant question is how far one exposed hash can travel before containment breaks. That aligns with the governance lens in Top 10 NHI Issues, where overuse and overreach are treated as structural risks rather than isolated incidents.

Organizations should use the Guide to the Secret Sprawl Challenge to align secret handling, rotation, and offboarding with OT realities. The operational lesson is that machine identities in industrial systems need explicit ownership, bounded reach, and identity review cadences that reflect production constraints.


For practitioners

  • Inventory OT service accounts that can authenticate externally Identify ThinManager and similar OT services that may initiate outbound SMB or other authenticated connections. Confirm which accounts can reach external or cross-segment endpoints and document the systems those accounts can still access.
  • Rotate the exposed service-account password after patching Move affected ThinManager environments to v14.1 or later, then rotate the service account password to invalidate any NTLM material that may have been captured before remediation.
  • Remove cross-segment trust from OT machine identities Reduce the number of zones and management planes that accept the same service account. Where segmentation is required, limit authentication scope so one exposed credential cannot traverse from OT into IT without an explicit business need.
  • Block unsolicited outbound authentication from critical servers Apply egress filtering, SMB restrictions, and proxy rules that prevent OT applications from authenticating to attacker-controlled destinations. Focus on servers that should never be generating outbound credential-bearing connections.
  • Re-certify privileged machine identities as part of OT governance Add OT service accounts to lifecycle and access review processes so ownership, reach, and current necessity are regularly confirmed. Treat privileged machine identities as living assets that can outlast their original purpose.

Key takeaways

  • This vulnerability turns an OT server into a credential relay point, which means the service account is the primary asset at risk.
  • The exposure matters because reusable NTLM material can support pass-the-hash, relay, and lateral movement across IT-OT boundaries.
  • Patching is necessary, but identity invalidation, scope reduction, and segmentation-aware service-account governance are what reduce the real blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centers on exposed machine credentials and their reuse.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe exploit exposes credentials and enables movement across connected zones.
NIST CSF 2.0PR.AC-4OT service-account scope and segmentation map to access governance.
NIST SP 800-53 Rev 5IA-5NTLM hash exposure is directly about authenticator management.
CIS Controls v8CIS-5 , Account ManagementPrivileged service-account lifecycle and ownership are central to this exposure.

Tie SSRF-led credential theft to TA0006 and TA0008 when building detections and containment playbooks.


Key terms

  • Server-Side Request Forgery: An attack pattern where a vulnerable server is tricked into making requests on the attacker’s behalf. In application exploitation, SSRF can be used to reach internal resources, fetch malicious payloads, or amplify a flaw into full code execution.
  • NTLM Hash: An NTLM hash is a cryptographic representation of a password used in Windows authentication flows. It can sometimes be reused to authenticate without knowing the password itself, which is why exposure of a privileged hash is treated as a live credential issue rather than a simple disclosure.
  • Service Account: A service account is a non-human identity used by software, devices, or infrastructure to authenticate and perform tasks. In OT and enterprise environments, it often carries elevated access and broad reach, so its lifecycle, scope, and exposure pattern matter as much as the application it supports.
  • IT-OT Connectivity: IT-OT connectivity is the linkage between business systems and operational technology environments. It improves visibility and coordination, but it also creates identity pathways that can let an exposed machine credential move from plant systems into broader enterprise zones.

What's in the full article

ColorTokens's full post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step remediation guidance for upgrading ThinManager to v14.1 or later in production OT environments
  • Compensating controls for organisations that cannot patch immediately, including segmentation and certificate-based authentication options
  • The exploit sequence from crafted SMB path to NTLM credential exposure and follow-on abuse
  • Practical OT containment considerations for environments with IT-OT connectivity

👉 ColorTokens's full post covers the exploit path, compensating controls, and patch guidance for ThinManager users.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or OT identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org