Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

ThinManager SSRF and NTLM exposure: what OT teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: CISA’s advisory on CVE-2025-9065 describes an authenticated SSRF flaw in Rockwell Automation ThinManager that can expose a high-privilege service account’s NTLM credentials, creating pass-the-hash, relay, and lateral-movement risk across OT and IT-connected environments, according to ColorTokens. The issue shows how service-account trust assumptions and network segmentation can fail together when OT systems expose credentials over outbound connections.

NHIMG editorial — based on content published by ColorTokens covering the ThinManager SSRF vulnerability: Addressing CISA Advisory on Rockwell Automation ThinManager SSRF Vulnerability (CVE-2025-9065)

By the numbers:

Questions worth separating out

Q: What fails when an OT service account can be coerced into authenticating outward?

A: The failure is not only credential exposure.

Q: Why do OT service accounts increase lateral movement risk after SSRF exposure?

A: They often carry broad privileges and are trusted across multiple systems, segments, or management planes.

Q: How do security teams measure whether OT machine identities are too exposed?

A: Look for service accounts that authenticate across more than one segment, authenticate outbound without a clear operational reason, or remain active after their original use case has changed.

Practitioner guidance

  • Inventory OT service accounts that can authenticate externally Identify ThinManager and similar OT services that may initiate outbound SMB or other authenticated connections.
  • Rotate the exposed service-account password after patching Move affected ThinManager environments to v14.1 or later, then rotate the service account password to invalidate any NTLM material that may have been captured before remediation.
  • Remove cross-segment trust from OT machine identities Reduce the number of zones and management planes that accept the same service account.

What's in the full article

ColorTokens's full post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step remediation guidance for upgrading ThinManager to v14.1 or later in production OT environments
  • Compensating controls for organisations that cannot patch immediately, including segmentation and certificate-based authentication options
  • The exploit sequence from crafted SMB path to NTLM credential exposure and follow-on abuse
  • Practical OT containment considerations for environments with IT-OT connectivity

👉 Read ColorTokens's analysis of CVE-2025-9065 and ThinManager NTLM exposure →

ThinManager SSRF and NTLM exposure: what OT teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Standing service-account trust is the control assumption this flaw exploits. OT programmes often assume a service account can be trusted because it belongs to infrastructure, not a user. CVE-2025-9065 shows that assumption fails when the application can be coerced into exposing NTLM material outside the intended boundary. The implication is that machine identity trust must be anchored in observable execution paths, not in the belief that service accounts are inherently safe.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when a privileged OT service account is exposed through SSRF?

A: Accountability usually spans application owners, OT operations, IAM, and network security because the failure crosses software, identity, and segmentation boundaries. The practical question is whether anyone owns the service account lifecycle end to end, including password rotation, scope reduction, and offboarding.

👉 Read our full editorial: CVE-2025-9065 exposes NTLM service accounts in ThinManager



   
ReplyQuote
Share: