PatchSiren cyber security CVE debrief
CVE-2025-40592 Siemens CVE debrief
CVE-2025-40592 is a medium-severity zip path traversal issue in Siemens Mendix Studio Pro's module installation process. The advisory says a malicious module—such as one distributed through the Mendix Marketplace—could write or modify arbitrary files outside a developer's project directory when installed. Siemens and CISA published the advisory on 2025-06-12, and the advisory was revised on 2025-07-08 to add a fix for Mendix Studio Pro 11.
- Vendor
- Siemens
- Product
- Mendix Studio Pro 8
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-12
- Original CVE updated
- 2025-07-08
- Advisory published
- 2025-06-12
- Advisory updated
- 2025-07-08
Who should care
Developers and teams using Mendix Studio Pro 8, 9, 10, 10.6, 10.12, 10.18, or 11; platform owners; and security teams responsible for approving third-party modules or marketplace content in development environments.
Technical summary
The advisory describes a zip path traversal flaw in Studio Pro's module installation flow. If an attacker crafts a malicious module archive and gets a developer to install it, the installer may write or modify files outside the intended project directory. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N, reflecting that user interaction is required and that the main impact is integrity. Siemens' remediation guidance lists branch-specific fixed versions: 8.18.35+, 9.24.35+, 10.23.0+, 10.6.24+, 10.12.17+, 10.18.7+, and 11.0.0+.
Defensive priority
Medium — prioritize if your teams install modules from the Mendix Marketplace or other third-party sources, because the impact is arbitrary file modification outside the project directory.
Recommended defensive actions
- Do not install untrusted or unverified modules in Studio Pro projects.
- Upgrade affected Studio Pro branches to the Siemens-fixed versions listed in the advisory.
- Apply source-approval and review controls for marketplace or third-party modules before installation.
- Review recent module installations and check for unexpected file changes outside project directories.
- Track the Siemens/CISA advisory for branch-specific remediation updates; the advisory was revised on 2025-07-08 to add Studio Pro 11 coverage.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-25-168-01 and the Siemens advisory references. The supplied advisory text explicitly states the zip path traversal condition, the potential for arbitrary file write/modify outside the project directory, the affected Studio Pro versions, and the fixed versions. The supplied timeline shows publication on 2025-06-12 and revision on 2025-07-08. No CISA KEV entry was provided in the source corpus.
Official resources
-
CVE-2025-40592 CVE record
CVE.org
-
CVE-2025-40592 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by Siemens and CISA on 2025-06-12 through ICSA-25-168-01 / CVE-2025-40592. Siemens revised the advisory on 2025-07-08 to add a fix for Mendix Studio Pro 11.