OTPulse
FeedAboutContact

Siemens Mendix Workflow Commons

Plan Patch8.1ICS-CERT ICSA-22-349-13Dec 13, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Mendix Workflow Commons improperly enforces access controls on some module entities, allowing authenticated users to read or delete data they should not have permission to access. This is due to missing or insufficient authorization checks in the module code.

What this means
What could happen
An authenticated attacker could read or delete sensitive information stored in Mendix Workflow Commons entities, potentially exposing or corrupting critical workflow data in production systems.
Who's at risk
Operators running Mendix-based applications for workflow management, particularly in manufacturing execution systems (MES), batch process control, or laboratory information systems (LIMS) where workflow data integrity is critical to operations.
How it could be exploited
An attacker with valid credentials to the Mendix application can make API or direct module calls to bypass access controls on specific workflow entities. The attacker queries or deletes restricted data without proper authorization checks in the module.
Prerequisites
  • Valid Mendix application user credentials
  • Network access to the Mendix application (typically internal or via VPN)
  • Knowledge of affected entity names or API endpoints
Remotely exploitableRequires valid credentialsLow complexity attackAccess control bypass (CWE-284)Affects data confidentiality and integrity
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Mendix Workflow Commons<V2.4.02.4.0
Mendix Workflow Commons V2.1<V2.1.42.1.4
Mendix Workflow Commons V2.3<V2.3.22.3.2
Remediation & Mitigation
0/6
Do now
0/2
HARDENINGRestrict network access to Mendix applications to trusted internal networks and VPN-only access
WORKAROUNDAudit access logs for unauthorized read or delete operations on workflow entities since deployment
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

Mendix Workflow Commons
HOTFIXUpdate Mendix Workflow Commons to version 2.4.0 or later
All products
HOTFIXFor version 2.1.x branch: update to version 2.1.4 or later
HOTFIXFor version 2.3.x branch: update to version 2.3.2 or later
Long-term hardening
0/1
HARDENINGImplement application-level access controls and role-based permissions for workflow data beyond module defaults
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9ea48b4b-ed46-4d7b-8068-341d58dd043a
Siemens Mendix Workflow Commons | CVSS 8.1 - OTPulse