OTPulse
FeedAboutContact

Siemens Mendix

Monitor5.3ICS-CERT ICSA-21-194-16Jul 13, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

An incorrect authorization check in Mendix applications allows an attacker with valid credentials to bypass write permission restrictions on object attributes under certain circumstances. The vulnerability exists in the first attribute of entities and can be exploited to modify data that should be protected. Siemens has released patches for all supported versions (Mendix 7, 8, and 9).

What this means
What could happen
An attacker with valid application credentials could modify object attributes in Mendix applications that should be protected from write access, potentially altering data or logic that controls industrial processes depending on the application's purpose.
Who's at risk
Organizations running Mendix-based applications, particularly those used in utility control or data management systems. This affects any low-code/no-code application built on the Mendix platform that handles sensitive object data with attribute-level access controls.
How it could be exploited
An attacker with login credentials to a Mendix application exploits an authorization bypass to write to the first attribute of an object despite permissions that should prevent it. This requires knowledge of the application's data structure and the attacker must have already authenticated to the system.
Prerequisites
  • Valid user credentials for the Mendix application
  • Network access to the Mendix application
  • Knowledge of the application's object and attribute structure
  • Attributes configured with write restrictions
Authorization bypassRequires valid credentialsModerate CVSS scoreLow exploit probability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7<V7.23.227.23.22
Mendix Applications using Mendix 8<V8.18.78.18.7
Mendix Applications using Mendix 9<V9.3.09.3.0
Remediation & Mitigation
0/7
Do now
0/2
WORKAROUNDConfigure the first attribute of vulnerable objects as read-only
WORKAROUNDAdd a new read-only attribute and move it to become the first attribute in the entity table
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix 7 applications to version 7.23.22 or later
HOTFIXUpdate Mendix 8 applications to version 8.18.7 or later
HOTFIXUpdate Mendix 9 applications to version 9.3.0 or later
Long-term hardening
0/2
HARDENINGIsolate Mendix applications from the Internet and place behind firewalls
HARDENINGRestrict network access to Mendix applications to authorized users and systems only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/a04878ed-3413-4786-b143-8b44d47b615f
Siemens Mendix | CVSS 5.3 - OTPulse