Siemens Mendix Studio Pro
Monitor6.1ICS-CERT ICSA-25-168-01Jun 12, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
Mendix Studio Pro contains a path traversal vulnerability (CWE-22) in the module installation process that allows an attacker to write or modify arbitrary files outside a developer's project directory. The vulnerability requires user interaction (installing an untrusted module) and has high attack complexity. Affected versions: Studio Pro 8 before 8.18.35, Studio Pro 9 before 9.24.35, Studio Pro 10 before 10.23.0, Studio Pro 10.6 before 10.6.24, Studio Pro 10.12 before 10.12.17, Studio Pro 10.18 before 10.18.7, and Studio Pro 11 (no fix available).
What this means
What could happen
A developer could be tricked into installing a malicious module that writes or modifies files on their workstation outside the project directory, potentially compromising the development environment or injecting malicious code into applications being developed for control systems.
Who's at risk
Development teams using Siemens Mendix Studio Pro for application development, particularly those building control system applications. Engineers and developers working with Studio Pro versions 8 through 11 are affected. This is primarily a risk to the development environment and the integrity of applications being built for industrial operations.
How it could be exploited
An attacker crafts a malicious Mendix module and tricks a developer into installing it in Studio Pro. During installation, the module's file paths are not properly validated, allowing the attacker to use path traversal (e.g., "../../../") to write or modify files outside the intended project directory, such as application source code, configuration files, or system files on the developer's workstation.
Prerequisites
- Developer must install an untrusted or malicious module in Mendix Studio Pro
- Developer must have write permissions to the target directories on their workstation
- Module installation process must be executed (automatic during project load or manual installation)
Requires user interaction (social engineering to install malicious module)High attack complexityPath traversal allows arbitrary file write/modifyNo authentication required for module installationStudio Pro 11 has no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
7 with fix
ProductAffected VersionsFix Status
Mendix Studio Pro 8< V8.18.358.18.35
Mendix Studio Pro 9< V9.24.359.24.35
Mendix Studio Pro 10< V10.23.010.23.0
Mendix Studio Pro 10.6< V10.6.2410.6.24
Mendix Studio Pro 10.12< V10.12.1710.12.17
Mendix Studio Pro 10.18< V10.18.710.18.7
Mendix Studio Pro 11< V11.0.011.0.0
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDDo not install untrusted or unverified modules in Studio Pro projects
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Mendix Studio Pro 8
HOTFIXUpdate Mendix Studio Pro 8 to version 8.18.35 or later
Mendix Studio Pro 9
HOTFIXUpdate Mendix Studio Pro 9 to version 9.24.35 or later
Mendix Studio Pro 10
HOTFIXUpdate Mendix Studio Pro 10 to version 10.23.0 or later
HOTFIXUpdate Mendix Studio Pro 10.6 to version 10.6.24 or later
HOTFIXUpdate Mendix Studio Pro 10.12 to version 10.12.17 or later
HOTFIXUpdate Mendix Studio Pro 10.18 to version 10.18.7 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cdd72631-bc03-4d14-a07d-d28abc4c9ee6