CVE-2024-39888 Siemens CVE debrief

Who should care

Organizations operating Siemens Mendix applications with encrypted data stores, particularly industrial control system (ICS/OT) environments where Mendix is deployed for operational applications. Security teams responsible for cryptographic key management and application security in low-code development platforms.

Technical summary

The Mendix Encryption Module contained a hard-coded default value for the EncryptionKey constant. When projects failed to specify an individual encryption key, this default was automatically applied. Since the default key is known/derivable, any attacker with access to encrypted project data can decrypt it. The vulnerability is remotely exploitable without authentication, with CVSS 3.1 score 7.5 (HIGH). Remediation requires updating to version 10.0.2 or later and ensuring all projects use unique, non-default encryption keys.

Defensive priority

HIGH

Recommended defensive actions

• Verify Mendix Encryption Module version and upgrade to V10.0.2 or later per vendor guidance
• Audit all Mendix projects to confirm custom EncryptionKey values are configured and not using default values
• Review encrypted data stores for potential unauthorized access given the compromised default key
• Implement defense-in-depth controls for Mendix applications per CISA ICS recommended practices
• Monitor for anomalous access patterns to encrypted Mendix project data

Evidence notes

Vulnerability confirmed through CISA ICS advisory ICSA-24-193-08 and Siemens security advisory SSA-998949. The hard-coded default encryption key represents a critical cryptographic implementation flaw where the confidentiality impact is rated HIGH per CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Official resources