OTPulse
FeedAboutContact

Siemens Mendix Email Connector

Plan Patch8.1ICS-CERT ICSA-22-349-17Dec 13, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

The Mendix Email Connector module improperly handles access control for some entities, allowing authenticated users to read and manipulate sensitive information beyond their intended permissions. This affects all versions of the Email Connector module below 2.0.0. The vulnerability stems from insufficient authorization checks on module objects, enabling privilege escalation within the application scope.

What this means
What could happen
An authenticated attacker could read and modify sensitive information stored in or processed by the Email Connector module, potentially compromising confidentiality and integrity of data handled by Mendix applications in industrial environments.
Who's at risk
Organizations running Mendix applications with the Email Connector module in low-trust environments (development, testing) or where user accounts are shared are at risk. Utilities and manufacturers using Mendix for operational reporting, notifications, or SCADA integration should prioritize this update. The risk is elevated if Email Connector handles sensitive plant data (alarm notifications, setpoint changes, or credential information).
How it could be exploited
An attacker with valid credentials to the Mendix application can directly access Email Connector module entities that lack proper access controls. The attacker does not need special network access or elevated privileges beyond standard user authentication—they can exploit this through the normal application interface.
Prerequisites
  • Valid Mendix application user credentials
  • Network access to the Mendix application
  • Email Connector module version below 2.0.0 deployed
Remotely exploitableRequires valid credentials but low complexity to exploitAffects confidentiality and integrityAuthentication is low-barrier user credential, not admin-level
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix Email Connector<V2.0.02.0.0
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGDo not use the default user role of the Email Connector module; configure custom roles with restricted permissions
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Email Connector module to version 2.0.0 or later
Long-term hardening
0/1
HARDENINGRestrict network access to Mendix applications using firewall rules and isolate from untrusted networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/507f81ec-e1b5-4655-bfd9-7f3960ce9022
Siemens Mendix Email Connector | CVSS 8.1 - OTPulse