Siemens Mendix Studio Pro
MonitorCVSS 6.1ICS-CERT ICSA-25-168-01Jun 12, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
Mendix Studio Pro contains a path traversal vulnerability in the module installation process that could allow an attacker to write or modify arbitrary files in directories outside a developer's project directory. This affects multiple versions across Mendix Studio Pro 8, 9, 10, 10.6, 10.12, 10.18, and 11.
What this means
What could happen
An attacker could modify or inject malicious files outside the intended project directory during module installation, potentially compromising the integrity of development environments and allowing injection of backdoors into deployed applications. This could affect deployed Mendix applications if malicious code is embedded during development.
Who's at risk
Application developers using Siemens Mendix Studio Pro for low-code application development, particularly those deploying applications to OT environments or creating integration logic for industrial systems. This affects development teams using Mendix versions 8, 9, 10, 10.6, 10.12, 10.18, and 11. Risk is highest for development teams that may be tricked into installing modules from untrusted sources.
How it could be exploited
An attacker would need to trick a developer into installing a malicious or compromised Mendix module into their Studio Pro project. During installation, the vulnerable module installation process could be exploited to write files outside the project directory, such as into system directories or shared development folders. This requires developer interaction to install an untrusted module.
Prerequisites
- Developer must have Mendix Studio Pro installed and running
- Developer must be tricked into installing an untrusted or malicious module
- Attacker must be able to distribute a compromised module or have a module already trusted in the repository
Requires user interaction (module installation)High attack complexityCould affect supply chain if malicious code injected into deployed applicationsMendix Studio Pro 11 has no fix planned
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (7)
7 with fix
ProductAffected VersionsFix Status
Mendix Studio Pro 8< V8.18.358.18.35
Mendix Studio Pro 9< V9.24.359.24.35
Mendix Studio Pro 10< V10.23.010.23.0
Mendix Studio Pro 10.6< V10.6.2410.6.24
Mendix Studio Pro 10.12< V10.12.1710.12.17
Mendix Studio Pro 10.18< V10.18.710.18.7
Mendix Studio Pro 11< V11.0.011.0.0
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDDo not install untrusted or unverified modules in Studio Pro projects; only use modules from trusted sources and verify module integrity before installation
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Mendix Studio Pro 8
HOTFIXUpdate Mendix Studio Pro 8 to version 8.18.35 or later
Mendix Studio Pro 9
HOTFIXUpdate Mendix Studio Pro 9 to version 9.24.35 or later
Mendix Studio Pro 10
HOTFIXUpdate Mendix Studio Pro 10 to version 10.23.0 or later
HOTFIXUpdate Mendix Studio Pro 10.6 to version 10.6.24 or later
HOTFIXUpdate Mendix Studio Pro 10.12 to version 10.12.17 or later
HOTFIXUpdate Mendix Studio Pro 10.18 to version 10.18.7 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cdd72631-bc03-4d14-a07d-d28abc4c9ee6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.