Siemens Mendix Studio Pro

Monitor5.3ICS-CERT ICSA-21-315-05Nov 9, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Applications built with affected versions of Mendix Studio Pro fail to properly enforce read and write access controls for certain client actions. Authenticated attackers could manipulate the content of System.FileDocument objects or retrieve the changedDate attribute of arbitrary objects in the application. Mendix has released patched versions: v8.18.13 for the Mendix 8 line and v9.6.2 or v9.7.0 for the Mendix 9 line.

What this means

What could happen

An authenticated attacker could modify file documents or read the change dates of arbitrary objects in Mendix applications, potentially exposing sensitive data or corrupting application data without authorization.

Who's at risk

Organizations running Mendix Studio Pro applications, particularly those in manufacturing, utilities, and other industrial settings where these platforms may host control or data management functions. This affects any business application built on Mendix 8 before version 8.18.13 or Mendix 9 before version 9.6.2.

How it could be exploited

An attacker with valid application credentials could send crafted requests to the Mendix application to bypass access controls on FileDocument objects or retrieve metadata about other objects. This requires authentication and knowledge of the application's internal structure.

Prerequisites

Valid user credentials for the Mendix application
Knowledge of FileDocument object identifiers or target object structure
Network access to the running Mendix application

Requires authenticationHigh attack complexityNo public exploits availableAccess control bypass

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 8<V8.18.138.18.13

Mendix Applications using Mendix 9<V9.6.29.6.2 or V9.7.0

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDAvoid storing sensitive information in FileDocument objects in current versions until patched

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix 8 applications to version 8.18.13 or later

HOTFIXUpdate Mendix 9 applications to version 9.6.2, 9.7.0, or later

HOTFIXRedeploy all updated applications after patching

Long-term hardening

0/2

HARDENINGRestrict network access to Mendix applications using firewalls and isolate from business networks

HARDENINGEnforce least-privilege access controls for application users

CVEs (2)

CVE-2021-42025 CVE-2021-42026

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e94cce6-cf42-473e-81db-fd63ef772c6d