Siemens Mendix Applications

MonitorCVSS 5.9ICS-CERT ICSA-24-165-01Jun 11, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

Mendix Runtime versions 9.3.0 and later contain an improper access control vulnerability (CWE-269) that could allow users with role management permissions to escalate access rights. A user granted the ability to manage a role can modify permissions within that role, potentially elevating their own access or that of other users, provided they can guess the internal ID of a target role containing higher privileges. The vulnerability affects Mendix 9 versions prior to 9.24.22, Mendix 10 versions prior to 10.11.0, and Mendix 10.6 versions prior to 10.6.9.

What this means

What could happen

A user with permission to manage roles in a Mendix application could escalate their own access rights or those of other users by modifying role permissions, potentially gaining access to sensitive application functions or data they should not be able to reach.

Who's at risk

This affects any organization running custom applications built on the Siemens Mendix low-code platform (versions 9.3.0 or later through early 10.x releases). Primary concern is for enterprises using Mendix for business applications, workflow automation, or integration services where role-based access control is critical to security boundaries. This includes utilities, manufacturers, and critical infrastructure operators who may have built operational tools on the Mendix platform.

How it could be exploited

An attacker with a user account that has been granted the ability to manage roles could exploit this flaw to elevate their own permissions or those of other users by modifying role definitions. The attacker must guess the internal ID of a target role that contains higher access rights to successfully exploit this vulnerability.

Prerequisites

User account with role management capability within the Mendix application
Knowledge of or ability to guess the internal ID of a target role containing elevated access rights
Network access to the Mendix application interface

Requires valid user account with specific permissionsHigh attack complexity (requires guessing role IDs)No active exploitation reportedAffects authorization/access control mechanisms

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 10<V10.11.010.11.0

Mendix Applications using Mendix 10 (V10.6)<V10.6.910.6.9

Mendix Applications using Mendix 9≥ V9.3.0<V9.24.229.24.22

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict role management capabilities to only trusted administrators; audit which users currently have permission to modify roles

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Mendix Applications using Mendix 10 (V10.6)

HOTFIXUpdate Mendix 10 (V10.6 branch) applications to version 10.6.9 or later

All products

HOTFIXUpdate Mendix 9 applications to version 9.24.22 or later

HOTFIXUpdate Mendix 10 applications to version 10.11.0 or later

Long-term hardening

0/1

HARDENINGSegment network access to Mendix applications so they are not directly accessible from the internet or untrusted networks

CVEs (1)

CVE-2024-33500

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f122ee9e-c0c8-424e-8afb-42d77fba692a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.