Severity: 
                            
                            
                                        
                                        High
                                    
                                
                            
                                Advisory ID: 
                            
                            
                                PN1625
                            
                        
                                Published Date: 
                            
                            
                                May 12, 2023
                            
                        
                                Last Updated: 
                            
                            
                                September 09, 2025
                            
                        
                                Revision Number: 
                            
                            
                                2.0
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                No
                            
                        
                                Corrected: 
                            
                            
                                No
                            
                        
                                Workaround: 
                            
                            
                                No
                            
                        
                            CVE IDs
                        
                        
                                    
                                    CVE-2023-2443
                                
                            
                        
                    Summary
                
                
                    Inadequate Encryption Vulnerability in ThinManager®
                
            
Revision Number
1.2
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - May 12, 2023 – Updated First Known in Software Version
Version 1.1 - May 12, 2023 – Updated First Known in Software Version
Version 1.2 - September 9, 2025 - Updated for readability
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version | 
| ThinManager ® | v13.0.0 and v13.0.1 | v13.0.2 | 
Security Issue Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.
CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers. If the client requests an insecure cipher, a threat actor could decrypt traffic sent between the client and server Application Programming Interface (API).
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers. If the client requests an insecure cipher, a threat actor could decrypt traffic sent between the client and server Application Programming Interface (API).
CVSS Base Score: 7.5/10
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 CWE: Inadequate Encryption StrengthKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigations and our suggested security best practices found below to minimize risks.
- Upgrade to v13.0.2.
- Do not use 3DES encryption algorithm.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
- CVE-2023-2443 JSON
- QA60051 - ThinManager : Download Patches and Updates
- QA66518 - ThinManager: How to Ensure 3DES Encryption Algorithm is Not Used
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits
Copyright ©2022 Rockwell Automation, Inc.