Siemens Mendix
Monitor5.3ICS-CERT ICSA-22-104-07Apr 12, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An information disclosure vulnerability in Siemens Mendix applications allows unauthenticated network attackers to read sensitive data. The vulnerability exists in Mendix 7 (before 7.23.31), Mendix 8 (before 8.18.18), Mendix 9 (before 9.11), and Mendix 9.6 (before 9.6.12). Affected data could include process parameters, configuration details, or credentials exposed through improper access controls.
What this means
What could happen
An attacker with network access to a Mendix application could read sensitive data or configuration information without authentication. This could expose operational parameters, process data, or credentials used by industrial processes.
Who's at risk
Water utilities, electric utilities, and other industrial facilities running Mendix applications (version 7, 8, 9, or 9.6) for SCADA, process automation, or control system interfaces. Mendix is often used to build industrial dashboards and data management applications that may interface with operational equipment.
How it could be exploited
An attacker sends crafted requests to a vulnerable Mendix application over the network. The application fails to properly restrict access to sensitive information, allowing the attacker to read data that should be protected. No authentication or user interaction is required.
Prerequisites
- Network access to the Mendix application (HTTP/HTTPS port)
- Vulnerable version of Mendix framework in use (7.x before 7.23.31, 8.x before 8.18.18, 9.x before 9.11, or 9.6.x before 9.6.12)
- Application must be reachable from the attacker's network location
remotely exploitableno authentication requiredlow complexityinformation disclosure could expose operational or configuration data
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7<V7.23.317.23.31
Mendix Applications using Mendix 8<V8.18.188.18.18
Mendix Applications using Mendix 9<V9.119.11
Mendix Applications using Mendix 9 (V9.6)<V9.6.129.11
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDRestrict network access to Mendix applications using firewall rules—only allow connections from authorized engineering workstations and control networks
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Mendix Applications using Mendix 9 (V9.6)
HOTFIXUpdate Mendix 9 (v9.6) applications to Version 9.6.12 or later
All products
HOTFIXUpdate Mendix 7 applications to Version 7.23.31 or later
HOTFIXUpdate Mendix 8 applications to Version 8.18.18 or later
HOTFIXUpdate Mendix 9 applications to Version 9.11 or later
Long-term hardening
0/2HARDENINGPlace Mendix applications on a segmented industrial network isolated from the business network and Internet
HARDENINGIf remote access is required, use a VPN with current security patches and restrict to specific authorized users
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/76cf8443-326f-4c95-83b9-9c9831ee053b