OTPulse
FeedAboutContact

Siemens Mendix SAML Module

Plan Patch8.1ICS-CERT ICSA-21-159-07Jun 8, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

The Mendix SAML Module contains a privilege escalation vulnerability (CWE-345) that allows an authenticated user to elevate their privileges within the application without authorization. This affects all versions before 2.1.2. The vulnerability has a CVSS score of 8.1 (high severity) with a network attack vector and low attack complexity, meaning an attacker can exploit it remotely with minimal effort once they have valid credentials. Mendix has released version 2.1.2 as a fix.

What this means
What could happen
A user with valid application credentials could escalate their privileges within the Mendix SAML authentication system, potentially gaining administrative access to application functionality or data they should not be able to access.
Who's at risk
Organizations using Mendix SAML Module (especially versions earlier than 2.1.2) for authentication in operational technology applications or business-critical systems should apply this update. This affects any deployment where Mendix is used as a low-code development platform for plant systems, process applications, or reporting dashboards.
How it could be exploited
An attacker with valid user credentials authenticates to a Mendix application using SAML. They then exploit the privilege escalation flaw in the SAML module to elevate their account permissions without administrator action, gaining access to restricted features or data.
Prerequisites
  • Valid user credentials for the Mendix application
  • Network access to the Mendix application
  • Mendix SAML Module version earlier than 2.1.2 deployed
remotely exploitablerequires valid user credentialsprivilege escalation flawlow complexity attack
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix SAML Module<V2.1.22.1.2
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix SAML Module to version 2.1.2 or later
Long-term hardening
0/2
HARDENINGRestrict network access to Mendix applications using firewall rules; ensure applications are not directly accessible from the internet
HARDENINGIsolate Mendix application servers from the business network using network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/94bab320-9e15-4e9f-be79-312a3e023674
Siemens Mendix SAML Module | CVSS 8.1 - OTPulse