Siemens Mendix Forgot Password Module
Monitor5.3ICS-CERT ICSA-23-285-11Oct 10, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Mendix Forgot Password module contains a user enumeration vulnerability that allows an attacker to retrieve valid usernames by analyzing responses from the password reset function. Affected versions: Mendix 7 compatible (before 3.7.3), Mendix 8 compatible (before 4.1.3), Mendix 9 compatible (before 5.4.0), and Mendix 10 compatible (before 5.4.0). Siemens has released patches for all affected versions.
What this means
What could happen
An attacker could enumerate valid usernames in Siemens Mendix applications, allowing them to identify real accounts for targeted social engineering or credential attacks. This could enable unauthorized access to engineering and administrative functions in industrial control systems.
Who's at risk
This affects water authorities and utilities using Siemens Mendix for engineering workstations, SCADA human-machine interfaces (HMIs), or administrative portals. If these applications manage control logic or process monitoring, unauthorized access could lead to operational disruptions. Primarily impacts IT staff, engineers, and system administrators who rely on these platforms for industrial control system management.
How it could be exploited
An attacker sends password reset requests to the Mendix Forgot Password module and observes the response behavior (timing, error messages, or page content differences) to determine which usernames exist in the system. Once valid usernames are identified, the attacker could target those accounts with credential stuffing, phishing, or brute force attacks to gain access to engineering workstations or administrative interfaces.
Prerequisites
- Network access to the Mendix application and its password reset functionality
- The affected Mendix Forgot Password module must be installed and accessible
- No authentication required to enumerate usernames
remotely exploitableno authentication requiredlow complexitylow EPSS score (0.2%)affects engineering access to control systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Mendix Forgot Password (Mendix 10 compatible)<V5.4.05.4.0
Mendix Forgot Password (Mendix 7 compatible)<V3.7.33.7.3
Mendix Forgot Password (Mendix 8 compatible)<V4.1.34.1.3
Mendix Forgot Password (Mendix 9 compatible)<V5.4.05.4.0
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDRestrict network access to the Mendix application using firewall rules to limit exposure from untrusted networks
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Mendix Forgot Password (Mendix 7 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 7 compatible) to version 3.7.3 or later
Mendix Forgot Password (Mendix 8 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 8 compatible) to version 4.1.3 or later
Mendix Forgot Password (Mendix 9 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 9 compatible) to version 5.4.0 or later
Mendix Forgot Password (Mendix 10 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 10 compatible) to version 5.4.0 or later
Long-term hardening
0/2HARDENINGPlace Mendix applications and engineering workstations behind firewalls and isolated from internet-facing networks
HARDENINGRequire VPN authentication for remote access to Mendix applications and implement multi-factor authentication on all accounts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2bf09a55-460b-49ea-a548-86de7f2b6ac1