Siemens Mendix Runtime

MonitorCVSS 5.3ICS-CERT ICSA-25-105-01Apr 8, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mendix Runtime contains an entity enumeration vulnerability that allows unauthenticated remote attackers to list valid entities and attribute names through distinguishable application responses. Mendix Runtime V8, V9, V10.6, V10.12, and V10.18 currently have no available fixes. Mendix Runtime V10 has been patched in version 10.21.0. The vulnerability enables information disclosure and facilitates reconnaissance of application data models.

What this means

What could happen

An attacker could enumerate valid entities and attribute names within a Mendix-based industrial application without authentication, potentially revealing sensitive system structure and data model to aid reconnaissance for further attacks.

Who's at risk

Organizations running Mendix Runtime-based industrial applications, including those used in manufacturing, utilities, and critical infrastructure monitoring systems. This affects both V8 and V9 versions that lack patches, and V10 variants with different release schedules.

How it could be exploited

An attacker sends crafted requests to the Mendix Runtime application over the network and observes distinguishable response patterns that reveal whether entity or attribute names are valid. This information disclosure can map the application's data model without needing to authenticate.

Prerequisites

Network access to the Mendix Runtime application port
Application must expose entity enumeration through response differentiation
No authentication credentials required

remotely exploitableno authentication requiredlow complexityinformation disclosure leading to reconnaissancemultiple versions with delayed patch availability

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Mendix Runtime V8< V8.18.358.18.35

Mendix Runtime V9< V9.24.349.24.34

Mendix Runtime V10< V10.21.010.21.0

Mendix Runtime V10.6< V10.6.2210.6.22

Mendix Runtime V10.12< V10.12.1610.12.16

Mendix Runtime V10.18< V10.18.510.18.5

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the Mendix Runtime application to only trusted networks using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Mendix Runtime V10

HOTFIXUpdate Mendix Runtime V10 to version 10.21.0 or later

Long-term hardening

0/2

HARDENINGIsolate Mendix Runtime instances from the internet and place them behind a firewall

HARDENINGMonitor for repeated entity enumeration requests or suspicious reconnaissance patterns

CVEs (1)

CVE-2025-30280

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/abd448f4-1358-44a3-b23e-177b90461981

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.