Siemens Mendix Excel Importer

Monitor6.5ICS-CERT ICSA-22-195-06Jul 12, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Mendix Excel Importer module contains an XML Entity Expansion Injection vulnerability (CWE-776) that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can upload a specially crafted Excel file that causes the module to consume excessive system resources, resulting in application unavailability. The vulnerability affects Mendix 8-compatible module versions before 9.2.2 and Mendix 9-compatible module versions before 10.1.2.

What this means

What could happen

An attacker with legitimate access could upload a specially crafted Excel file to cause the Mendix application to consume excessive resources, leading to application downtime or denial of service. This would prevent users from accessing business functions that depend on the Excel Importer module.

Who's at risk

Organizations using Mendix platform for enterprise applications should assess whether they are running the Excel Importer module. This affects Mendix 8 and Mendix 9 deployments that include the Excel Importer functionality. Any business process that relies on uploading or importing Excel files through Mendix is potentially impacted, including utility billing systems, asset management platforms, or other data integration workflows.

How it could be exploited

An attacker with user credentials submits a malicious Excel file through the Mendix application's import interface. The Excel Importer module parses the file without proper validation and processes an XML Entity Expansion attack, causing the application to exhaust memory or CPU resources. The attacker does not need network access to the device itself—only a valid user account.

Prerequisites

Valid Mendix application user credentials
Access to the Excel import feature within the Mendix application
Ability to upload or supply a file to the import function

Requires authentication to exploitLow CVSS score (6.5 medium)Availability impact only (denial of service)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Mendix Excel Importer Module (Mendix 8 compatible)<V9.2.29.2.2

Mendix Excel Importer Module (Mendix 9 compatible)<V10.1.210.1.2

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Mendix Excel Importer Module (Mendix 8 compatible)

HOTFIXUpdate Mendix Excel Importer Module (Mendix 8 compatible) to version 9.2.2 or later

Mendix Excel Importer Module (Mendix 9 compatible)

HOTFIXUpdate Mendix Excel Importer Module (Mendix 9 compatible) to version 10.1.2 or later

Long-term hardening

0/2

HARDENINGRestrict network access to Mendix applications with firewall rules to limit exposure from untrusted networks

HARDENINGSegment Mendix applications from public internet access and limit user access to those who require it for business functions

CVEs (1)

CVE-2022-34467

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bfb43780-cd76-43bc-b0a2-3831e1b0d464