PatchSiren cyber security CVE debrief
CVE-2024-50313 Siemens CVE debrief
A race condition in the basic authentication implementation of Siemens Mendix Runtime allows unauthenticated remote attackers to bypass default account lockout protections. The vulnerability affects Mendix Runtime V8, V9, and multiple V10 branches. Siemens has released patches for V9 and V10 variants; V8 has no planned fix and requires mitigation.
- Vendor
- Siemens
- Product
- Mendix Runtime V8
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2025-08-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2025-08-12
Who should care
Organizations running Siemens Mendix Runtime applications, particularly those in industrial and operational technology environments where Mendix is deployed for process control or business-critical applications. Security teams responsible for identity and access management in low-code development platforms, as well as OT security practitioners monitoring CISA ICS advisories.
Technical summary
CVE-2024-50313 is a race condition vulnerability in the basic authentication implementation of Siemens Mendix Runtime. The flaw allows unauthenticated remote attackers to circumvent default account lockout measures, potentially enabling brute-force or credential stuffing attacks that would otherwise be blocked. The vulnerability affects Mendix Runtime V8 (end-of-life, no fix planned), V9 (patched in V9.24.29), and V10 branches including V10.6 (patched in V10.6.15), V10.12 (patched in V10.12.7), and the main V10 line (patched in V10.16.0). Siemens and CISA recommend migrating away from basic authentication to alternative methods including OIDC SSO, Mendix SSO, SAML V4, or Custom/Active Session authentication for APIs.
Defensive priority
medium
Recommended defensive actions
- For Mendix Runtime V9 and V10 variants, apply vendor patches: V9.24.29 or later, V10.6.15 or later, V10.12.7 or later, or V10.16.0 or later
- For Mendix Runtime V8 and all versions where patching is not immediately feasible, disable basic authentication for app user login and configure alternative authentication modules such as OIDC SSO, Mendix SSO, or SAML V4
- For published REST and web services and oData APIs, replace basic authentication with Custom or Active Session authentication methods
- Review authentication configurations in Mendix applications to identify and remediate any reliance on basic authentication
- Monitor authentication logs for anomalous patterns that may indicate exploitation attempts against account lockout mechanisms
Evidence notes
The vulnerability was disclosed by CISA in advisory ICSA-24-319-12, with Siemens publishing coordinated security advisory SSA-914892. The issue stems from a race condition in basic authentication that can circumvent account lockout mechanisms designed to prevent brute-force attacks.
Official resources
-
CVE-2024-50313 CVE record
CVE.org
-
CVE-2024-50313 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12