Siemens Mendix Applications

MonitorCVSS 6.5ICS-CERT ICSA-22-195-10Jul 12, 2022

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

An expression injection vulnerability in Mendix Runtime Workflow processing allows authenticated users to inject malicious expressions that execute during workflow processing. This could allow a malicious user with application access to leak sensitive information such as credentials, configuration data, or business data accessible to the application. The vulnerability affects Mendix 9 versions 9.11 through 9.14 (fixed in 9.15) and Mendix 9.12 versions before 9.12.3. The vulnerability only impacts applications that actually use the Mendix Workflow visual language feature.

What this means

What could happen

An attacker with valid application user credentials could inject malicious expressions into Mendix Workflow processing to steal sensitive data stored in the application or accessible through the application, including configuration data, credentials, or business information.

Who's at risk

Organizations running Mendix applications for business process automation, data management, or integration workflows are affected. This includes enterprises using Mendix for enterprise applications, mobile apps, or citizen development platforms. Particular risk to applications handling sensitive customer data, financial data, or operational configuration information.

How it could be exploited

An authenticated attacker with access to a Mendix application that uses the Workflow visual language can craft a malicious workflow expression that injects code. The injected expression executes during workflow processing and leaks sensitive information back to the attacker.

Prerequisites

Valid user credentials for the Mendix application
Ability to create or modify workflows in the Mendix application
Application must use Mendix Workflow functionality

Authenticated access requiredExpression injection (CWE-74)Information disclosure only (no code execution)Affects only applications using Workflow functionality

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 9≥ V9.11 <V9.159.15

Mendix Applications using Mendix 9 (V9.12)<V9.12.39.12.3

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Mendix Applications using Mendix 9

HOTFIXUpdate Mendix applications using Mendix 9 (versions >=9.11 and <9.15) to version 9.15 or later

HOTFIXUpdate Mendix applications using Mendix 9 version 9.12 to version 9.12.3 or later

All products

HOTFIXRedeploy applications after updating Mendix runtime to a patched version

Long-term hardening

0/2

HARDENINGRestrict network access to Mendix applications using firewall rules; do not expose to the Internet

HARDENINGImplement role-based access controls to limit who can create or modify workflows in Mendix applications

CVEs (1)

CVE-2022-34466

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c4097e2e-372a-4640-adb0-c8f92273842f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.