Siemens Mendix OIDC SSO
Low RiskCVSS 2.2ICS-CERT ICSA-25-135-15May 13, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary
The Mendix OIDC SSO module's default configuration grants read and write access to OIDC tokens exclusively to the Administrator role. A malicious administrator could modify OIDC tokens during development, potentially affecting authentication and authorization. Siemens has released fixes for Mendix 10 compatible and Mendix 10.12 compatible versions. The Mendix 9 compatible version has no patch available; only compensating controls are available.
What this means
What could happen
An attacker with administrator credentials could read or write OIDC tokens in Mendix OIDC SSO during development, potentially modifying authentication tokens to impersonate other users or escalate privileges within applications using this module.
Who's at risk
This affects organizations using Siemens Mendix for low-code application development, particularly those building authentication-dependent applications. Development teams and IT personnel managing Mendix environments should evaluate their versions. While Mendix itself is an IT platform, it is frequently used in industrial settings to build applications that interface with control systems, HMIs, and data collection systems.
How it could be exploited
An attacker with administrator role access to a Mendix development environment containing the OIDC SSO module could directly modify the OIDC.Token entity to read or write authentication tokens. This requires deep access to the Mendix development platform itself, making this primarily a risk during the application development lifecycle rather than in deployed production systems.
Prerequisites
- Administrator role credentials in the Mendix development environment
- Access to the Mendix application during development
- Vulnerable version of Mendix OIDC SSO module deployed in development environment
High attack complexityRequires administrator credentialsLow CVSS severity (2.2)No active exploitation reportedMendix 9 version lacks vendor fix
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Mendix OIDC SSO (Mendix 10 compatible)< 4.1.04.1.0
Mendix OIDC SSO (Mendix 10.12 compatible)< 4.0.14.0.1
Mendix OIDC SSO (Mendix 9 compatible)< 3.3.03.3.0
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Mendix OIDC SSO (Mendix 10 compatible)
HOTFIXUpdate Mendix OIDC SSO (Mendix 10 compatible) to version 4.1.0 or later
Mendix OIDC SSO (Mendix 10.12 compatible)
HOTFIXUpdate Mendix OIDC SSO (Mendix 10.12 compatible) to version 4.0.1 or later
Long-term hardening
0/2Mendix OIDC SSO (Mendix 9 compatible)
HARDENINGFor Mendix 9 compatible OIDC SSO: Review and restrict access rules on the OIDC.Token entity to administrator role only, or create a dedicated administrative role with minimal required permissions for token handling
All products
HARDENINGRestrict network access to Mendix development environments to authorized development personnel only, using VPN or network segmentation
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a1b09bbc-1c48-4a78-b662-f6296c0cd879Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.