Race Condition Vulnerability in Basic Authentication Implementation of Mendix Runtime
Monitor5.3SSA-914892Nov 12, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The basic authentication mechanism of Mendix Runtime contains a race condition vulnerability that allows unauthenticated remote attackers to circumvent default account lockout measures. This enables attackers to perform repeated authentication attempts without being blocked by lockout protections.
What this means
What could happen
An attacker could bypass account lockout protections and perform credential-stuffing attacks against Mendix Runtime applications without being rate-limited or locked out, potentially gaining unauthorized access to applications running on the platform.
Who's at risk
Organizations running Mendix Runtime-based applications (V8, V9, V10) should apply updates immediately. This affects any critical or production Mendix application, particularly those exposed to untrusted networks or handling sensitive operations. Water utilities and electric utilities using Mendix for SCADA frontend interfaces or engineering workstations are at risk.
How it could be exploited
An attacker sends rapid authentication requests to a Mendix Runtime application's login endpoint. Due to the race condition in the lockout logic, multiple failed attempts can succeed before the lockout mechanism activates. This allows credential-guessing attacks to proceed unimpeded across many password attempts.
Prerequisites
- Network access to the Mendix Runtime application's authentication endpoint (typically HTTP/HTTPS on the application's exposed port)
- No valid credentials required—the vulnerability allows bypassing the lockout mechanism itself
remotely exploitableno authentication required to trigger the race conditionlow complexityaffects account lockout—foundational access control
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
Mendix Runtime V8All versionsNo fix (EOL)
Mendix Runtime V9< 9.24.299.24.29
Mendix Runtime V10< 10.16.010.16.0
Mendix Runtime V10.6< 10.6.1510.6.15
Mendix Runtime V10.12< 10.12.710.12.7
Remediation & Mitigation
0/5
Do now
0/1Mendix Runtime V8
WORKAROUNDFor Mendix Runtime V8 (no vendor fix available), implement network-level rate limiting on authentication endpoints via WAF or proxy to block repeated failed login attempts from the same source
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Mendix Runtime V9
HOTFIXUpdate Mendix Runtime V9 to version 9.24.29 or later
Mendix Runtime V10
HOTFIXUpdate Mendix Runtime V10.6 to version 10.6.15 or later
HOTFIXUpdate Mendix Runtime V10.12 to version 10.12.7 or later
HOTFIXUpdate Mendix Runtime V10 (non-V10.6, non-V10.12) to version 10.16.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2a680e84-a94d-4b5a-8df2-3cba014089cd