Full Report
Mendix Runtime allows for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Entity Enumeration in Mendix Runtime via Distinguishable Responses
## CVE Details
- CVE ID: CVE-2025-30280
- CVSS Score: 5.3 (CVSS v3.1) / 6.9 (CVSS v4.0) (Medium severity based on v3.1)
- CWE: CWE-204: Observable Response Discrepancy
## Affected Systems
- Products: Mendix Runtime (V8, V9, V10)
- Versions:
- Mendix Runtime V8: `< V8.18.35`
- Mendix Runtime V9: `< V9.24.34`
- Mendix Runtime V10: `< V10.21.0`
- Mendix Runtime V10.6: `< V10.6.22`
- Mendix Runtime V10.12: `< V10.12.16`
- Mendix Runtime V10.18: `< V10.18.5`
- Configurations: Applicable to Mendix Runtime-based applications utilizing certain client actions where responses are distinguishable.
## Vulnerability Description
The Mendix Runtime is susceptible to entity enumeration. This flaw stems from the application providing distinguishable responses during certain client actions, which an attacker can leverage to determine the names of valid entities and attributes configured within the Mendix application. This information disclosure occurs without requiring authentication (unauthenticated remote attacker).
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but a PoC is strongly implied by the nature of the description (distinguishable responses).
- Complexity: Low (CVSS v3.1: AC:L - Low Attack Complexity). The vulnerability appears readily accessible over the network.
- Attack Vector: Network (CVSS v3.1: AV:N).
## Impact
The primary impact is information disclosure regarding the application's data model structure.
- Confidentiality: Low (C:L - Information disclosure of metadata, which could aid subsequent attacks).
- Integrity: No impact indicated (I:N).
- Availability: No impact indicated (A:N).
## Remediation
### Patches
Users must update to the following minimum versions:
- Mendix Runtime V8: **V8.18.35** or later
- Mendix Runtime V9: **V9.24.34** or later
- Mendix Runtime V10: **V10.21.0** or later
- Mendix Runtime V10.6: **V10.6.22** or later
- Mendix Runtime V10.12: **V10.12.16** or later
- Mendix Runtime V10.18: **V10.18.5** or later
### Workarounds
Siemens recommends following their General Security Recommendations, which primarily focus on network protection and configuration hardening:
1. Protect network access to devices using appropriate mechanisms.
2. Configure the environment according to Siemens' operational guidelines for Industrial Security.
3. Follow recommendations in the product manuals.
## Detection
- Indicators of compromise: Not specified.
- Detection methods and tools: Detection would involve monitoring network traffic for unusual request patterns or response variations targeting entity/attribute retrieval endpoints. Referencing the vendor advisory for specific detection signatures if available.
## References
- Vendor Advisories: Siemens Security Advisory SSA-874353
- Relevant links:
- Siemens CERT Portal Advisories: hxxps://www[.]siemens[.]com/cert/advisories
- Mendix Release Notes (V8): hxxps://docs[.]mendix[.]com/releasenotes/studio-pro/8/
- Siemens Industrial Security Guidelines: hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- Siemens Industrial Security Portal: hxxps://www[.]siemens[.]com/industrialsecurity