PatchSiren cyber security CVE debrief
CVE-2024-33500 Siemens CVE debrief
A privilege escalation vulnerability in Siemens Mendix applications allows authenticated users with role management capabilities to elevate access rights for other users. The attack requires guessing a target role's identifier, making exploitation more difficult but still achievable. The vulnerability affects Mendix 9, Mendix 10, and Mendix 10 (V10.6) applications. Siemens has released patched versions, and a runtime configuration mitigation is available as an interim measure.
- Vendor
- Siemens
- Product
- Mendix Applications using Mendix 9
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations running Siemens Mendix applications in production environments, particularly those in industrial and operational technology contexts. Security teams responsible for access control governance in low-code platforms. System administrators managing Mendix role configurations and runtime settings. Compliance officers tracking privilege escalation risks in business-critical applications.
Technical summary
CVE-2024-33500 is a privilege escalation vulnerability in Siemens Mendix low-code application platform. The flaw exists in the role management functionality where users with role management capabilities can modify role assignments to elevate access rights. The attack complexity is high due to the requirement to guess a target role's identifier, but successful exploitation grants high confidentiality and integrity impact. The vulnerability has network attack vector, requires high privileges, and no user interaction. Affected versions include Mendix 9, Mendix 10, and Mendix 10 (V10.6). Siemens has released security updates, and a runtime configuration change provides interim protection at reduced security posture.
Defensive priority
medium
Recommended defensive actions
- Apply vendor patches: update Mendix 9 applications to V9.24.22 or later, Mendix 10 applications to V10.11.0 or later, and Mendix 10 (V10.6) applications to V10.6.9 or later
- As an interim mitigation, set the runtime setting StrictReferenceChecks to false; note this reduces reference check security
- Review and audit role management permissions to ensure only trusted administrators have role management capabilities
- Monitor for unusual role assignment activities, particularly those involving privilege elevation
- Implement defense-in-depth controls per CISA ICS recommended practices for industrial control systems
Evidence notes
CVE published 2024-06-11 per CISA CSAF advisory ICSA-24-165-01. CVSS 5.9 (MEDIUM) with vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N. Affected products: Mendix Applications using Mendix 9, Mendix 10, and Mendix 10 (V10.6). Vendor fixes available: V9.24.22+, V10.11.0+, V10.6.9+.
Official resources
-
CVE-2024-33500 CVE record
CVE.org
-
CVE-2024-33500 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11