Siemens has alerted users to a critical vulnerability in the Mendix Encryption module, effective July 11, 2024. This vulnerability, assigned CVE-2024-39888, involves hard-coded security constants in Mendix Encryption versions up to V10.0.0, allowing attackers to decrypt encrypted project data. With a CVSS v4 score of 8.7, the flaw presents a significant risk, and Siemens recommends updating to Mendix Encryption version 10.0.2 or later to address this issue.
The vulnerability arises from the use of a default encryption key that could be exploited by attackers to decrypt any data encrypted with the module. The issue is globally relevant, affecting critical manufacturing sectors, and has been reported to CISA by Siemens. Users are advised to protect network access, follow Siemens’ operational security guidelines, and update their software to mitigate risks associated with this vulnerability.
CISA supports Siemens‘ recommendations and suggests minimizing network exposure for control systems, employing secure remote access methods like updated VPNs, and conducting thorough risk assessments. No public exploitation specifically targeting this vulnerability has been reported yet, but proactive measures are essential for securing industrial control systems.
For further guidance, Siemens provides detailed mitigation steps on their industrial security webpage, while CISA offers additional resources on their ICS security practices page. Organizations should remain vigilant and report any suspicious activities to CISA for proper tracking and analysis.