Siemens Mendix Studio Pro
Act Now7.5ICS-CERT ICSA-23-320-11Nov 14, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
Mendix Studio Pro versions 7 through 10 (before patched versions) contain an out-of-bounds write vulnerability in the embedded libwebp image library (CVE-2023-4863). When a user opens a malicious WebP image file in Studio Pro, the vulnerability allows arbitrary code execution in the context of the developer's user session. The attack is not remotely exploitable but has been actively exploited in the wild with a 94.1% probability of exploitation.
What this means
What could happen
An attacker with local access to a developer workstation running Mendix Studio Pro could exploit a memory corruption flaw in the embedded image library to execute arbitrary code with the same privileges as the user. This could compromise the workstation and potentially allow modification of critical application code before deployment to production systems.
Who's at risk
Mendix Studio Pro development teams should care about this issue. Affected are software developers and engineers using Mendix Studio Pro versions 7, 8, 9, and 10 (before the patched versions listed). This is especially critical for teams developing applications that control OT systems or integrate with industrial control systems, as a compromised development workstation could allow code injection into production deployments.
How it could be exploited
An attacker would need to trick a Mendix developer into opening a malicious WebP image file within Studio Pro (via file import, clipboard paste, or project resource). The out-of-bounds write in the libwebp library would then execute code in the context of the developer's user session, potentially allowing exfiltration of source code or injection of malicious logic into applications before they are deployed.
Prerequisites
- Local access to a workstation running vulnerable Mendix Studio Pro version
- User interaction required: developer must open or import a crafted WebP image file
- Attacker ability to deliver malicious WebP image (email attachment, project file, or shared resource)
actively exploited (KEV)high CVSS score (7.5)very high EPSS score (94.1%)affects development environment with access to production coderequires user interaction but low attack complexity once delivery is achieved
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Mendix Studio Pro 10<V10.3.110.3.1
Mendix Studio Pro 7<V7.23.377.23.37
Mendix Studio Pro 8<V8.18.278.18.27
Mendix Studio Pro 9<V9.24.09.24.0
Remediation & Mitigation
0/6
Do now
0/4Mendix Studio Pro 7
HOTFIXUpdate Mendix Studio Pro 7 to version 7.23.37 or later
Mendix Studio Pro 8
HOTFIXUpdate Mendix Studio Pro 8 to version 8.18.27 or later
Mendix Studio Pro 9
HOTFIXUpdate Mendix Studio Pro 9 to version 9.24.0 or later
Mendix Studio Pro 10
HOTFIXUpdate Mendix Studio Pro 10 to version 10.3.1 or later
Long-term hardening
0/2HARDENINGRestrict developer workstation network access and require VPN for remote development access
HARDENINGEducate developers to avoid opening WebP images from untrusted sources within Studio Pro
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c880dafb-b99c-4509-98d7-b3f95dd27d89