PatchSiren cyber security CVE debrief
CVE-2025-40571 Siemens CVE debrief
CVE-2025-40571 is a low-severity access-control issue in Siemens' Mendix OIDC SSO module. The module's OIDC.Token entity is configured so only the Administrator role can read and write tokens, and Siemens warns this could lead to privilege misuse if an adversary modifies the module during Mendix development.
- Vendor
- Siemens
- Product
- Mendix OIDC SSO (Mendix 10.12 compatible)
- CVSS
- LOW 2.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2026-04-16
- Advisory published
- 2025-05-13
- Advisory updated
- 2026-04-16
Who should care
Siemens Mendix developers, application administrators, and security teams responsible for OIDC SSO modules in Mendix development and build environments.
Technical summary
CISA's CSAF advisory ICSA-25-135-15 covers four affected product variants: Mendix OIDC SSO (Mendix 10.12 compatible), Mendix OIDC SSO (Mendix 9 compatible), Mendix OIDC SSO V4.2 (Mendix 10 compatible), and Mendix OIDC SSO V4.3 (Mendix 10 compatible). The advisory assigns CVSS v3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N, scored 2.2 (LOW). Remediation differs by version: update to V3.3.1 or later, V4.0.1 or later, or V4.2.1 or later where available; the advisory also states that no fix is currently available for V4.3.
Defensive priority
Low. This is primarily a development-time privilege/misconfiguration concern with a low CVSS score and no KEV listing, but it still merits version review and access-control hygiene.
Recommended defensive actions
- Update affected modules to the fixed version that matches your Mendix line: V3.3.1+ for Mendix 9 compatible, V4.0.1+ for Mendix 10.12 compatible, and V4.2.1+ for Mendix 10 compatible.
- If you rely on Mendix OIDC SSO V4.3, track Siemens and CISA guidance closely because the advisory states that no fix is available for that version.
- Review the OIDC.Token entity access rules and keep read/write access restricted to the Administrator role unless a documented business need requires a separate privileged role.
- Restrict who can modify Mendix modules during development and use code review or release controls to reduce the risk of unauthorized module changes.
- Follow CISA ICS recommended practices and defense-in-depth guidance for the environments where Mendix applications are developed and deployed.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-135-15 and its revision history, which shows initial publication on 2025-05-13 and a latest republication update on 2026-04-16. The source description states that the Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role and could result in privilege misuse if the module is modified during Mendix development. The advisory also provides the affected product list, the CVSS v3.1 vector, and version-specific remediation entries.
Official resources
-
CVE-2025-40571 CVE record
CVE.org
-
CVE-2025-40571 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
First published by CISA on 2025-05-13 as ICSA-25-135-15; last updated on 2026-04-16 based on Siemens ProductCERT SSA-726617. No KEV entry was provided in the supplied corpus.