Code Execution Vulnerability (libwebp CVE-2023-4863) in Mendix Studio Pro

Act Now7.5SSA-268517Nov 14, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Mendix Studio Pro contains an out-of-bounds write vulnerability in the integrated libwebp library (CVE-2023-4863) that could allow an attacker to execute arbitrary code in the context of a victim user's system.

What this means

What could happen

An attacker could execute arbitrary code on an engineering workstation running Mendix Studio Pro, potentially compromising application designs, stealing credentials, or deploying malicious changes to industrial control applications.

Who's at risk

Engineering and development teams using Mendix Studio Pro to design and deploy industrial control applications, especially those working on water treatment, electric grid management, or other critical infrastructure automation systems.

How it could be exploited

An attacker sends a malicious image file (WebP format) to a user or embeds it in a project resource. When the user opens or views the image in Mendix Studio Pro, the out-of-bounds write in libwebp triggers, executing the attacker's code with the user's privileges.

Prerequisites

User must open a malicious WebP image file within Mendix Studio Pro
User interaction is required (opening the file or project)

actively exploited (KEV)high EPSS score (94.1%)code execution in user contextuser interaction required

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Mendix Studio Pro 10<V10.3.110.3.1

Mendix Studio Pro 7<V7.23.377.23.37

Mendix Studio Pro 8<V8.18.278.18.27

Mendix Studio Pro 9<V9.24.09.24.0

Remediation & Mitigation

0/5

Do now

0/5

Mendix Studio Pro 10

HOTFIXUpdate Mendix Studio Pro 10 to version 10.3.1 or later

Mendix Studio Pro 9

HOTFIXUpdate Mendix Studio Pro 9 to version 9.24.0 or later

Mendix Studio Pro 8

HOTFIXUpdate Mendix Studio Pro 8 to version 8.18.27 or later

Mendix Studio Pro 7

HOTFIXUpdate Mendix Studio Pro 7 to version 7.23.37 or later

All products

WORKAROUNDRestrict opening untrusted WebP image files or projects from unknown sources until patched

CVEs (1)

CVE-2023-4863

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e15453f8-594f-4dad-987c-e92f0ebea76c