PatchSiren cyber security CVE debrief
CVE-2025-30280 Siemens CVE debrief
CVE-2025-30280 is a medium-severity information disclosure issue in Siemens Mendix Runtime-based applications. CISA and Siemens state that certain client actions can produce distinguishable responses, allowing an unauthenticated remote attacker to enumerate valid entities and attribute names. The advisory was published on 2025-04-08 and later revised on 2025-06-10 to add a fix for Mendix Runtime V8.
- Vendor
- Siemens
- Product
- Mendix Runtime V8
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-08
- Original CVE updated
- 2025-06-10
- Advisory published
- 2025-04-08
- Advisory updated
- 2025-06-10
Who should care
Application owners, developers, and administrators running Mendix Runtime-based applications, especially teams supporting externally reachable or multi-user deployments. Security and operations teams should also track the specific Mendix Runtime branch in use so the correct minimum fixed version is applied.
Technical summary
The advisory describes an entity-enumeration information disclosure caused by response differences in certain client actions. The attacker does not need authentication and can use the observable differences to list valid entities and attribute names in a Mendix Runtime-based application. Affected product branches listed by the advisory are Mendix Runtime V8, V9, V10, V10.6, V10.12, and V10.18. Fixed versions listed in the source are V8.18.35+, V9.24.34+, V10.21.0+, V10.6.22+, V10.12.16+, and V10.18.5+.
Defensive priority
Medium
Recommended defensive actions
- Identify all Mendix Runtime deployments and map each instance to its major/minor branch before changing anything.
- Update Mendix Runtime to the minimum fixed version for the branch in use: V8.18.35 or later, V9.24.34 or later, V10.21.0 or later, V10.6.22 or later, V10.12.16 or later, or V10.18.5 or later.
- Review externally reachable application flows for distinguishable error or response behavior that could reveal entity or attribute names.
- If immediate patching is not possible, restrict exposure to trusted networks and monitor for unusual request patterns against Mendix application endpoints.
- Validate the upgrade in a non-production environment and confirm the application no longer exposes distinguishable responses for the affected client actions.
- Track Siemens and CISA advisory updates for branch-specific guidance and confirm the exact fixed release before rollout.
Evidence notes
The source corpus is CISA CSAF ICSA-25-105-01 and the Siemens SSA-874353 advisory references. The advisory states that affected applications allow entity enumeration due to distinguishable responses in certain client actions, enabling an unauthenticated remote attacker to list valid entities and attribute names. The revision history shows publication on 2025-04-08, additional fixes added on 2025-04-10 and 2025-04-14, and a V8 fix added on 2025-06-10. The enrichment data shows the issue is not in CISA KEV.
Official resources
-
CVE-2025-30280 CVE record
CVE.org
-
CVE-2025-30280 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA and Siemens advisories on 2025-04-08, with later advisory revisions through 2025-06-10. The enrichment data indicates no CISA KEV listing and no known ransomware campaign use in the supplied corpus.