OTPulse
FeedAboutContact

Siemens Mendix LDAP

Plan Patch7.4ICS-CERT ICSA-25-016-01Jan 14, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

Mendix LDAP module versions below 1.1.2 contain an LDAP injection vulnerability (CWE-90) that allows an unauthenticated remote attacker to bypass username verification. By injecting malicious LDAP query syntax into the username field, an attacker could authenticate without knowing the correct password. The vulnerability has high attack complexity, making exploitation more difficult than typical remote code execution issues.

What this means
What could happen
An attacker could bypass username verification in Mendix LDAP authentication, potentially gaining unauthorized access to applications that rely on this module for user authentication. This could allow access to control logic, data, or other features without valid credentials.
Who's at risk
Organizations using Mendix applications with the LDAP authentication module for access control should care about this issue. This affects any application that relies on Mendix LDAP for user authentication, particularly if those applications are used to manage or monitor industrial processes, data collection systems, or other critical functions.
How it could be exploited
An attacker sends a crafted LDAP injection payload in the username field to the Mendix application. The vulnerable LDAP module fails to sanitize the input, allowing the attacker to manipulate the LDAP query and bypass the username verification step, effectively logging in without knowing the correct password.
Prerequisites
  • Network access to the Mendix application (reachable over the network)
  • Mendix LDAP module version below 1.1.2 installed and configured for authentication
remotely exploitableno authentication requiredaffects authentication/access controlhigh CVSS score (7.4)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix LDAP<V1.1.21.1.2
Remediation & Mitigation
0/3
Do now
0/1
WORKAROUNDRestrict network access to the Mendix application using firewall rules; only allow connections from trusted workstations or networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix LDAP module to version 1.1.2 or later
Long-term hardening
0/1
HARDENINGPlace the Mendix application and its supporting systems on a separate network segment isolated from business networks and the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b7789a90-14fa-4698-a5e9-11c7cedd3a27
Siemens Mendix LDAP | CVSS 7.4 - OTPulse