Siemens Mendix Runtime
Monitor6.8ICS-CERT ICSA-23-320-04Nov 14, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
Mendix Runtime contains a capture-replay flaw in how it handles authentication and authorization. This vulnerability allows authenticated attackers to access or modify objects without proper authorization, or escalate privileges in the context of vulnerable applications, if certain preconditions exist in the application's model and access control design. The vulnerability affects Mendix versions 7 through 10. Siemens has released patched versions: Mendix 7.23.37, 8.18.27, 9.24.10, and 10.4.0.
What this means
What could happen
An authenticated attacker could bypass application access controls to view or modify data they shouldn't access, or escalate their privileges within a Mendix-based application. This could result in unauthorized changes to process parameters, data manipulation, or loss of operational visibility depending on what data the application manages.
Who's at risk
Organizations running industrial or operational applications built on Siemens Mendix platform (versions 7, 8, 9, or 10) should care about this vulnerability. This includes any Mendix-based applications managing manufacturing processes, data collection, process control, or business logic in utility or industrial environments. Applications that handle sensitive configuration data or process setpoints are most at risk.
How it could be exploited
An attacker with valid application login credentials (e.g., a compromised operator or engineering account) could craft specific requests that replay or capture authentication tokens to bypass the application's authorization checks. They would need to understand the specific application model and access control design to exploit this effectively, which is why CVSS attack complexity is high.
Prerequisites
- Valid login credentials for the Mendix application
- Knowledge of the target application's data model and access control design
- Network access to the application (typically internal or VPN)
- Application must have certain preconditions in its model and access control configuration
Requires valid credentials to exploitHigh attack complexity (attacker must understand application design)Low exploit probability (0.2% EPSS)Affects authorization controls in applications
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Mendix Applications using Mendix 10<V10.4.010.4.0
Mendix Applications using Mendix 7<V7.23.377.23.37
Mendix Applications using Mendix 8<V8.18.278.18.27
Mendix Applications using Mendix 9<V9.24.109.24.10
Remediation & Mitigation
0/7
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate Mendix 7 applications to version 7.23.37 or later and redeploy
HOTFIXUpdate Mendix 8 applications to version 8.18.27 or later and redeploy
HOTFIXUpdate Mendix 9 applications to version 9.24.10 or later and redeploy
HOTFIXUpdate Mendix 10 applications to version 10.4.0 or later and redeploy
Long-term hardening
0/3HARDENINGRestrict network access to Mendix applications using firewall rules and access controls, ensuring they are not accessible from the internet
HARDENINGIsolate Mendix applications and their networks from general business networks
HARDENINGUse VPN with multi-factor authentication for any required remote access to Mendix applications
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/db46ce57-4f41-42a5-8a43-05e3342d7c63