Siemens Mendix
Monitor5.9ICS-CERT ICSA-23-047-11Feb 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Mendix applications contain an improper access control vulnerability (CWE-284) that allows an attacker to bypass XPath constraints and retrieve sensitive information using XPath queries that trigger errors. The vulnerability affects Mendix 7, 8, and 9 versions. Siemens has released updates for all affected versions.
What this means
What could happen
An attacker with network access to a Mendix application could extract sensitive data (user information, configuration details, business data) by crafting XPath queries designed to bypass access controls, potentially exposing operational or personal information stored in the application database.
Who's at risk
Organizations running Siemens Mendix applications (versions 7, 8, or 9) for operational dashboards, data repositories, or control system interfaces should be concerned. This affects any Mendix application accessible over a network, including those used for monitoring industrial processes, managing plant data, or integrating with SCADA systems.
How it could be exploited
An attacker sends specially crafted XPath query requests to the Mendix application over the network. The application improperly validates or enforces access controls on these queries, allowing the attacker to bypass restrictions and retrieve data that should be protected. Error messages from failed XPath injection attempts may leak additional information about the data structure.
Prerequisites
- Network access to the Mendix application (HTTP/HTTPS)
- No authentication required to trigger the vulnerability
- Knowledge of the application's data model or ability to infer it through error responses
remotely exploitableno authentication requiredhigh attack complexitylow exploit probability (0.3% EPSS)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 7<V7.23.347.23.34
Mendix Applications using Mendix 8<V8.18.238.18.23
Mendix Applications using Mendix 9<V9.22.09.22.0
Mendix Applications using Mendix 9 (V9.12)<V9.12.109.12.10
Mendix Applications using Mendix 9 (V9.18)<V9.18.49.18.4
Mendix Applications using Mendix 9 (V9.6)<V9.6.159.6.15
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDRestrict network access to Mendix applications using firewall rules; ensure they are not reachable from the Internet
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Mendix Applications using Mendix 9 (V9.6)
HOTFIXUpdate Mendix 9 (V9.6) applications to version 9.6.15 or later and redeploy
Mendix Applications using Mendix 9 (V9.12)
HOTFIXUpdate Mendix 9 (V9.12) applications to version 9.12.10 or later and redeploy
Mendix Applications using Mendix 9 (V9.18)
HOTFIXUpdate Mendix 9 (V9.18) applications to version 9.18.4 or later and redeploy
All products
HOTFIXUpdate Mendix 7 applications to version 7.23.34 or later and redeploy
HOTFIXUpdate Mendix 8 applications to version 8.18.23 or later and redeploy
HOTFIXUpdate Mendix 9 applications to version 9.22.0 or later and redeploy
Long-term hardening
0/2HARDENINGPlace Mendix applications behind a firewall and isolate them from business networks
HARDENINGUse VPN with authentication for any required remote access to Mendix applications
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/738607cb-3940-4159-9150-91200482b84c