OTPulse

Siemens SINEMA Mendix Forgot Password Appstore

Plan PatchCVSS 9.1ICS-CERT ICSA-22-069-04Mar 8, 2022
SiemensMitsubishi Electric
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Mendix Forgot Password Appstore module versions ≥3.3.0 and <3.5.1 (and versions <3.2.2 for Mendix 7 compatible) contain two vulnerabilities in the password reset functionality that allow unauthorized users to take over accounts without knowing the original password. Weak authentication controls in the password reset process permit attackers to bypass verification steps and set a new password for any user account. These modules are commonly used in Siemens and Mitsubishi Electric industrial systems for user authentication in control system applications.

What this means
What could happen
An attacker could bypass authentication in the Mendix Forgot Password module and take over user accounts, including those with access to critical infrastructure management applications. This could allow unauthorized configuration changes or operational disruption of water treatment, power distribution, or other industrial processes managed through affected Mendix applications.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators who use Siemens or Mitsubishi Electric systems with Mendix-based applications for remote monitoring, configuration, or asset management. This includes any organization running Mendix applications with the Forgot Password Appstore module for user authentication on engineering workstations, historian servers, or SCADA front-end systems.
How it could be exploited
An attacker on the network (or from the internet if the Mendix application is exposed) can request a password reset on the Forgot Password module. Due to weak authentication controls in the password reset process, the attacker can bypass verification steps and set a new password for any user account without knowing the original password. Once logged in, the attacker has the same access as the compromised user account.
Prerequisites
  • Network access to the Mendix Forgot Password module (HTTP/HTTPS port, typically 80 or 443)
  • Target user account must exist in the system (attacker needs a valid username or email)
  • The Mendix Forgot Password Appstore module must be installed and active
remotely exploitableno authentication required for password resetlow complexity attackaffects account access to critical infrastructure management applicationshigh CVSS (9.1)
Exploitability
Some exploitation risk — EPSS score 1.7%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Mendix Forgot Password Appstore module≥ V3.3.0 <V3.5.13.5.1
Mendix Forgot Password Appstore module (Mendix 7 compatible)<V3.2.23.2.2
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDisable the sign-up feature in the Mendix Forgot Password module if not required for operations
HARDENINGRestrict network access to Mendix applications using firewall rules; ensure they are not accessible from the internet and only reachable from authorized engineering networks
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Mendix Forgot Password Appstore module
HOTFIXUpdate Mendix Forgot Password Appstore module to version 3.5.1 or later
HOTFIXUpdate Mendix Forgot Password Appstore module (Mendix 7 compatible) to version 3.2.2 or later
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate Mendix-based control system applications from the general business network
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9c70b7ab-5fd0-4e98-9a38-55ca2ca997a7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.