Siemens Mendix Encryption Module

Plan PatchCVSS 7.5ICS-CERT ICSA-24-193-08Jul 9, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mendix Encryption module versions V10.0.0 and V10.0.1 contain a hard-coded default EncryptionKey that is used for any project where no individual key was specified. An attacker who obtains encrypted project data can decrypt it using this publicly-known default key, compromising the confidentiality of application configuration, business logic, and sensitive stored data. The vulnerability affects only projects that do not explicitly configure a custom encryption key. Siemens has released version 10.0.2 which corrects this issue and recommends all users update immediately.

What this means

What could happen

An attacker who obtains encrypted project data can decrypt it using the hard-coded default encryption key, exposing sensitive configuration and business logic stored in Mendix applications. This could compromise intellectual property, reveal system design, or enable modification of application behavior.

Who's at risk

Organizations using Siemens Mendix Encryption module versions 10.0.0 or 10.0.1 for application development or data encryption. This affects any Mendix-based business logic applications that process sensitive data and rely on the encryption module's default settings.

How it could be exploited

An attacker with access to encrypted Mendix project files (stored on disk, in backups, or in transit) can use the publicly-known default encryption key from vulnerable versions V10.0.0 or V10.0.1 to decrypt the data without needing credentials or system access. The attack requires only the ability to obtain and decrypt files offline.

Prerequisites

Access to encrypted Mendix project data files or encrypted backups
Knowledge of the hard-coded default encryption key (compromised due to public disclosure in vulnerable versions)
Vulnerable Mendix Encryption module version V10.0.0 or V10.0.1 in use without a custom encryption key specified

Hard-coded default credentials (encryption key)No authentication required to exploit if files are accessibleLow complexity attack (offline decryption)Affects confidentiality of application logic and stored data

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Mendix Encryption≥ V10.0.0<V10.0.210.0.2

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Encryption module to version 10.0.2 or later

HARDENINGReview and audit all Mendix projects to verify custom EncryptionKey is specified; do not rely on default values

Long-term hardening

0/2

HARDENINGRestrict network access to systems hosting Mendix applications using firewalls and network segmentation

HARDENINGSecure encrypted project data files and backups with access controls and encryption at rest

CVEs (1)

CVE-2024-39888

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/461b4299-47f6-4b8f-86b5-ebf7aa6c6c46

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.