Siemens Mendix Runtime

Monitor5.3ICS-CERT ICSA-25-105-01Apr 8, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mendix Runtime allows entity enumeration through distinguishable responses in client actions. An unauthenticated remote attacker can list all valid entities and attribute names in a Mendix Runtime-based application by analyzing differences in HTTP responses. This reveals the application's data model and structure without requiring credentials.

What this means

What could happen

An attacker can discover all valid entities and attribute names in your Mendix-based application without authentication, potentially revealing the data model and sensitive business logic that could be used in follow-up attacks.

Who's at risk

Organizations running Mendix Runtime-based applications (versions 8, 9, 10.6, 10.12, 10.18, and core version 10) that are exposed to network access should be concerned. This affects any business application, manufacturing execution system (MES), or data portal built on Mendix that lacks network segmentation.

How it could be exploited

An attacker sends web requests to the Mendix Runtime application from the network and observes differences in the application's responses. By analyzing these distinguishable responses, the attacker can systematically enumerate all valid entities and attributes without providing credentials.

Prerequisites

Network access to the Mendix Runtime application over HTTP/HTTPS
No authentication required

remotely exploitableno authentication requiredlow complexityinformation disclosure vulnerability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Mendix Runtime V8< V8.18.358.18.35

Mendix Runtime V9< V9.24.349.24.34

Mendix Runtime V10< V10.21.010.21.0

Mendix Runtime V10.6< V10.6.2210.6.22

Mendix Runtime V10.12< V10.12.1610.12.16

Mendix Runtime V10.18< V10.18.510.18.5

Remediation & Mitigation

0/9

Do now

0/3

HARDENINGRestrict network access to Mendix Runtime applications using firewalls, limiting exposure to trusted internal networks only

HARDENINGIsolate Mendix Runtime systems from the internet and untrusted networks

WORKAROUNDUse VPN or secure remote access methods for any external connections to Mendix systems

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

Mendix Runtime V10

HOTFIXUpdate Mendix Runtime V10 to version 10.21.0 or later

HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.22 or later

HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.16 or later

HOTFIXUpdate Mendix Runtime V10.18 to version 10.18.5 or later

Mendix Runtime V8

HOTFIXUpdate Mendix Runtime V8 to version 8.18.35 or later

Mendix Runtime V9

HOTFIXUpdate Mendix Runtime V9 to version 9.24.34 or later

CVEs (1)

CVE-2025-30280

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/abd448f4-1358-44a3-b23e-177b90461981