OTPulse

Siemens Mendix

Low RiskCVSS 3.1ICS-CERT ICSA-22-104-17Apr 12, 2022
Siemens
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

A Mendix application vulnerability allows an authenticated user to extract information from protected database fields by sorting query results. When a user performs a database query, they can intentionally sort by a protected field that should not be accessible. Although the sort operation itself does not return the field's value directly, the ordering of results reveals information about the protected field's contents, bypassing field-level access controls. Siemens has released updates for Mendix 7, 8, 9 and the v9.6 branch to address this vulnerability.

What this means
What could happen
An authenticated attacker with access to a Mendix application could bypass field-level access controls to extract sensitive data by sorting database results on protected fields. This could expose confidential information stored in the application database.
Who's at risk
Organizations running Siemens Mendix applications (versions 7, 8, or 9) should be aware of this vulnerability. This affects any web or cloud-based application built on Mendix that stores sensitive data in protected fields—such as manufacturing execution systems (MES), asset management platforms, or business applications connected to industrial operations. Companies developing custom applications with Mendix are responsible for patching.
How it could be exploited
An attacker with valid login credentials to a Mendix application can craft a database query that sorts results by a protected field that should not be accessible to them. The sorting operation leaks information about the protected field's contents without the attacker needing direct read access, bypassing the application's field-level access controls.
Prerequisites
  • Valid user credentials (login) to the Mendix application
  • Access to the Mendix application's query interface or API
  • Target application must use protected fields in its database schema
Requires valid authenticationHigh attack complexityLow CVSS score (3.1)Low exploit probability (0.3%)Indirect access to sensitive dataNot actively exploited
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7<V7.23.27V7.23.27+
Mendix Applications using Mendix 8<V8.18.14V8.18.14+
Mendix Applications using Mendix 9<V9.12.0V9.12.0+
Mendix Applications using Mendix 9 (V9.6)<V9.6.3V9.12.0+
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

Mendix Applications using Mendix 9 (V9.6)
HOTFIXUpdate Mendix to version 9.6.3 or later if running v9.6 branch (preferably to v9.12 or later)
All products
HOTFIXUpdate Mendix to version 7.23.27 or later (v7 branch)
HOTFIXUpdate Mendix to version 8.18.14 or later (v8 branch)
HOTFIXUpdate Mendix to version 9.12.0 or later (v9 branch)
Long-term hardening
0/2
HARDENINGRestrict network access to Mendix applications using firewalls or network segmentation; do not expose to the Internet
HARDENINGImplement role-based access controls and audit user permissions in Mendix applications to limit who can query sensitive fields
View full CISA ICS-CERT advisory
API: /api/v1/advisories/aa02e8fd-57e7-4b65-a108-0abf7238c56e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.