Usernames Disclosure Vulnerability in Mendix Runtime

Monitor5.3SSA-097435Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mendix Runtime contains an observable response discrepancy vulnerability when validating usernames during authentication. The vulnerability allows unauthenticated remote attackers to distinguish between valid and invalid usernames by observing differences in authentication responses. This is caused by inconsistent error handling that leaks information about username validity, enabling account enumeration attacks that can be used to identify real users for targeted phishing, credential stuffing, or brute-force campaigns.

What this means

What could happen

An attacker can determine whether a username exists in your Mendix application without knowing the password, enabling targeted account enumeration and follow-up phishing or brute-force attacks.

Who's at risk

Organizations using Siemens Mendix for application development or deployment should care about this vulnerability. This affects any web or mobile application built on Mendix Runtime (versions 8, 9, 10, 10.6, 10.12) that handles user authentication. Affected users include water utilities, energy providers, and industrial facilities that use Mendix-based SCADA interfaces, historian systems, or operational dashboards.

How it could be exploited

An attacker sends login requests to your Mendix application with various username combinations. By observing differences in the authentication response (timing, error messages, or response structure), the attacker can determine which usernames are valid. This information can then be used for targeted attacks against real accounts.

Prerequisites

Network access to the Mendix application login endpoint
No credentials required
Application running on vulnerable Mendix Runtime version

Remotely exploitableNo authentication requiredLow complexity attackUsername enumeration enables follow-up attacks

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Mendix Runtime V8< 8.18.338.18.33

Mendix Runtime V9< 9.24.319.24.31

Mendix Runtime V10< 10.17.010.17.0

Mendix Runtime V10.6< 10.6.1910.6.19

Mendix Runtime V10.12< 10.12.1110.12.11

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDImplement rate limiting on authentication endpoints to slow username enumeration attempts

HARDENINGMonitor login logs for suspicious patterns of failed authentication attempts across multiple usernames

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Mendix Runtime V8

HOTFIXUpdate Mendix Runtime V8 to version 8.18.33 or later

Mendix Runtime V9

HOTFIXUpdate Mendix Runtime V9 to version 9.24.31 or later

Mendix Runtime V10

HOTFIXUpdate Mendix Runtime V10 to version 10.17.0 or later

HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.19 or later

HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.11 or later

CVEs (1)

CVE-2023-49069

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3ee7c634-2927-462c-8332-d07dcb46a953