Siemens Mendix
Monitor4.9ICS-CERT ICSA-22-195-13Jul 12, 2022
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
An improper access control vulnerability in Mendix applications allows an attacker with access to an active user session to change that user's password while bypassing the application's normal password validation rules. This vulnerability exists in Mendix 7, 8, and 9 versions. Siemens has released updates that correct this flaw. The vulnerability requires the attacker to already have an active session, limiting the attack surface to insider threats or session compromise scenarios.
What this means
What could happen
An attacker with access to an active user session in a Mendix application could reset that user's password without meeting normal password validation rules, potentially taking over the account. This could compromise access controls to engineering functions or operational dashboards in industrial applications.
Who's at risk
This affects any organization running Mendix-based industrial applications for process control, SCADA dashboards, or engineering workstations—particularly water utilities and power generation facilities using Mendix for monitoring or configuration systems. Any Mendix 7, 8, or 9 application deployed on unpatched versions is at risk.
How it could be exploited
An attacker must first gain access to an active user session—typically by obtaining session credentials or being physically present at a logged-in workstation. Once in an active session, the attacker can change the user's password without validation, effectively locking out the legitimate user or establishing persistent access under that user's identity.
Prerequisites
- Active user session access (requires either valid user credentials for an active session, or physical/network access to a logged-in Mendix application interface)
- Vulnerable Mendix version in use (7.x before 7.23.31, 8.x before 8.18.18, 9.x before 9.14.0, 9.6 before 9.6.12, or 9.12 before 9.12.2)
- User must be authenticated to the application (no unauthenticated access needed, but session hijacking or insider access required)
Requires active user session access (not remotely exploitable without prior compromise)High privilege required (must have valid user session)Low complexity exploitation (once session is compromised)No patch available for end-of-life Mendix 7 branchCould lead to unauthorized account takeoverAffects application-layer access control, not network-layer
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7<V7.23.31v7.23.31 or later
Mendix Applications using Mendix 8<V8.18.18v8.18.18 or later
Mendix Applications using Mendix 9<V9.14.0v9.14.0 or later
Mendix Applications using Mendix 9 (V9.12)<V9.12.2v9.14.0 or later
Mendix Applications using Mendix 9 (V9.6)<V9.6.12v9.14.0 or later
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDRestrict network access to Mendix applications using firewall rules to limit exposure to trusted engineering networks only
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Mendix Applications using Mendix 9 (V9.6)
HOTFIXUpdate Mendix Project to v9.6.12 or later if running Mendix 9.6 branch
Mendix Applications using Mendix 9 (V9.12)
HOTFIXUpdate Mendix Project to v9.12.2 or later if running Mendix 9.12 branch
All products
HOTFIXUpdate Mendix Project to v7.23.31 or later (Mendix 7 users)
HOTFIXUpdate Mendix Project to v8.18.18 or later (Mendix 8 users)
HOTFIXUpdate Mendix Project to v9.14.0 or later (Mendix 9 users)
HARDENINGImplement session timeout policies to reduce window of exposure from stolen or abandoned sessions
Long-term hardening
0/2HARDENINGImplement multi-factor authentication for Mendix application user accounts where possible
HARDENINGSegregate Mendix application networks from the business network behind firewalls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f8d35140-53c4-4c3a-8838-d386538dbc5e