OTPulse
FeedAboutContact

Hard-coded Default Encryption Key in Mendix Encryption Module V10.0.0 and V10.0.1

Plan Patch7.5SSA-998949Jul 9, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Mendix Encryption module versions V10.0.0 and V10.0.1 contain a hard-coded default value for the EncryptionKey constant. Projects that do not specify an individual EncryptionKey will use this public default key. An attacker can use the known default key to decrypt any encrypted project data protected only by this default key.

What this means
What could happen
An attacker can decrypt sensitive project data that relies on the default encryption key, potentially exposing configuration data, credentials, or business logic embedded in encrypted fields.
Who's at risk
Organizations using Siemens Mendix platform for low-code application development, particularly those with applications handling sensitive configuration data or credentials in encrypted fields. This affects any Mendix app deployed with the vulnerable Encryption module versions that has not set a custom EncryptionKey.
How it could be exploited
An attacker with access to encrypted data from a Mendix application using Encryption V10.0.0 or V10.0.1 can use the published hard-coded default encryption key to decrypt the data offline. No network access to the application is required if the attacker can obtain encrypted data through logs, backups, or network traffic capture.
Prerequisites
  • Access to encrypted data from the affected Mendix application
  • Mendix Encryption module V10.0.0 or V10.0.1 in use without a custom EncryptionKey configured
Hard-coded encryption key is publicNo authentication required to exploitEncryption can be broken offlineHigh cryptographic impact
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix Encryption≥ V10.0.0<V10.0.210.0.2
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Encryption module to version 10.0.2 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d9ce4c85-3505-476e-84f8-9ff98f938cb9
Hard-coded Default Encryption Key in Mendix Encryption Module V10.0.0 and V10.0.1 | CVSS 7.5 - OTPulse