TL;DR: CISA’s advisory on CVE-2025-9065 describes an authenticated SSRF flaw in Rockwell Automation ThinManager that can expose a high-privilege service account’s NTLM credentials, creating pass-the-hash, relay, and lateral-movement risk across OT and IT-connected environments, according to ColorTokens. The issue shows how service-account trust assumptions and network segmentation can fail together when OT systems expose credentials over outbound connections.
NHIMG editorial — based on content published by ColorTokens covering the ThinManager SSRF vulnerability: Addressing CISA Advisory on Rockwell Automation ThinManager SSRF Vulnerability (CVE-2025-9065)
By the numbers:
- CVE-2025-9065 affects ThinManager versions 13.0 through 14.0.
- The U.S. Cybersecurity and Infrastructure Security Agency issued a critical advisory on September 9, 2025.
Questions worth separating out
Q: What fails when an OT service account can be coerced into authenticating outward?
A: The failure is not only credential exposure.
Q: Why do OT service accounts increase lateral movement risk after SSRF exposure?
A: They often carry broad privileges and are trusted across multiple systems, segments, or management planes.
Q: How do security teams measure whether OT machine identities are too exposed?
A: Look for service accounts that authenticate across more than one segment, authenticate outbound without a clear operational reason, or remain active after their original use case has changed.
Practitioner guidance
- Inventory OT service accounts that can authenticate externally Identify ThinManager and similar OT services that may initiate outbound SMB or other authenticated connections.
- Rotate the exposed service-account password after patching Move affected ThinManager environments to v14.1 or later, then rotate the service account password to invalidate any NTLM material that may have been captured before remediation.
- Remove cross-segment trust from OT machine identities Reduce the number of zones and management planes that accept the same service account.
What's in the full article
ColorTokens's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step remediation guidance for upgrading ThinManager to v14.1 or later in production OT environments
- Compensating controls for organisations that cannot patch immediately, including segmentation and certificate-based authentication options
- The exploit sequence from crafted SMB path to NTLM credential exposure and follow-on abuse
- Practical OT containment considerations for environments with IT-OT connectivity
👉 Read ColorTokens's analysis of CVE-2025-9065 and ThinManager NTLM exposure →
ThinManager SSRF and NTLM exposure: what OT teams need to know?
Explore further
Standing service-account trust is the control assumption this flaw exploits. OT programmes often assume a service account can be trusted because it belongs to infrastructure, not a user. CVE-2025-9065 shows that assumption fails when the application can be coerced into exposing NTLM material outside the intended boundary. The implication is that machine identity trust must be anchored in observable execution paths, not in the belief that service accounts are inherently safe.
A few things that frame the scale:
- 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- When credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
A question worth separating out:
Q: Who is accountable when a privileged OT service account is exposed through SSRF?
A: Accountability usually spans application owners, OT operations, IAM, and network security because the failure crosses software, identity, and segmentation boundaries. The practical question is whether anyone owns the service account lifecycle end to end, including password rotation, scope reduction, and offboarding.
👉 Read our full editorial: CVE-2025-9065 exposes NTLM service accounts in ThinManager