Siemens Mendix LDAP

Plan PatchCVSS 7.4ICS-CERT ICSA-25-016-01Jan 14, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The Mendix LDAP module contains an LDAP injection vulnerability (CWE-90) that allows an unauthenticated remote attacker to bypass username verification. An attacker with network access to the Mendix application could inject LDAP commands to authenticate without valid credentials. The vulnerability affects Mendix LDAP versions prior to 1.1.2.

What this means

What could happen

An attacker could bypass login authentication to Mendix LDAP, potentially gaining unauthorized access to applications that depend on this module for user verification. If a Mendix-based industrial application uses LDAP for access control, this could allow unauthorized users to view or modify process data, configurations, or alarms.

Who's at risk

Organizations running Mendix-based industrial or operational applications that use the LDAP module for authentication should prioritize this update. This affects any manufacturer or plant that has deployed Mendix low-code platform applications for process monitoring, alarm management, or configuration interfaces connected to LDAP directories.

How it could be exploited

An attacker sends a specially crafted LDAP query through the login interface to the Mendix application. The application does not properly validate the query before passing it to the LDAP directory, allowing the attacker to modify the query logic to bypass username/password checks and authenticate as any user, including administrators.

Prerequisites

Network access to the Mendix application login interface
Mendix LDAP module version prior to 1.1.2 must be deployed
LDAP directory must be configured as the authentication backend

remotely exploitableno authentication requiredcould allow unauthorized administrative accessLDAP injection bypasses user verification

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Mendix LDAP<V1.1.21.1.2

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to the Mendix application to authorized networks using firewall rules; do not expose the login interface to the internet

HARDENINGIf remote access to Mendix is required, route it through a VPN rather than direct internet exposure

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix LDAP module to version 1.1.2 or later

CVEs (1)

CVE-2024-56841

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b7789a90-14fa-4698-a5e9-11c7cedd3a27

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.