Improper Access Control Vulnerability in Mendix

Monitor4.9SSA-433782Jul 12, 2022

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

An improper access control vulnerability allows attackers with access to an active user session to bypass password validation mechanisms and reset that user's password. An attacker who gains access to a legitimate user's active session can change the password and take over the account. Siemens has released patched versions: Mendix 7.23.31+, 8.18.18+, 9.6.12+, 9.12.2+, and 9.14+.

What this means

What could happen

An attacker with access to an active user session could reset that user's password and take over their account, potentially gaining administrative privileges if the compromised account is elevated. This could allow unauthorized changes to applications or data.

Who's at risk

Organizations running Mendix applications (web or mobile apps built on the Mendix low-code platform) should care about this vulnerability. This affects anyone using Mendix 7, 8, 9.6, 9.12, or 9.14 for business applications. Mendix is commonly used for enterprise workflow, process automation, and data management applications in utilities, manufacturing, and government.

How it could be exploited

An attacker who gains access to an active user session (through malware, credential theft, or physical access) can exploit the improper access control to bypass password validation mechanisms in the Mendix framework. They execute a password reset function using the compromised session token, allowing account takeover without requiring the original password or security questions.

Prerequisites

Active user session access (compromised browser session, workstation malware, or physical access)
Credentials or session token of a legitimate Mendix application user
Access to the Mendix application interface or API

No authentication required (works with any active session)Low complexity exploitationHigh impact if administrative account is compromisedAffects all Mendix versions 7 through 9

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (5)

2 with fix3 pending

ProductAffected VersionsFix Status

Mendix Applications using Mendix 9< V9.14.0No fix yet

Mendix Applications using Mendix 9 (V9.12)< V9.12.2No fix yet

Mendix Applications using Mendix 9 (V9.6)< V9.6.12No fix yet

Mendix Applications using Mendix 7< V7.23.31V7.23.31

Mendix Applications using Mendix 8< V8.18.18V8.18.18

Remediation & Mitigation

0/7

Do now

0/1

HARDENINGMonitor user sessions for suspicious password reset requests or unexpected account access

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix 7 projects to version 7.23.31 or later and redeploy applications

HOTFIXUpdate Mendix 8 projects to version 8.18.18 or later and redeploy applications

HOTFIXUpdate Mendix 9.6 projects to version 9.6.12 or later and redeploy applications

HOTFIXUpdate Mendix 9.12 projects to version 9.12.2 or later and redeploy applications

HOTFIXUpdate Mendix 9.14+ projects to version 9.14 or later and redeploy applications

Long-term hardening

0/1

HARDENINGImplement network segmentation to restrict unauthorized user workstation access to Mendix applications

CVEs (1)

CVE-2022-31257

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/20865661-5f1c-40c3-9979-f87288b7e332