CVE-2025-30280

MEDIUM

Mendix Runtime <10.21.0, 10.12.16, 10.18.5, 10.6.22, 8.18.35, 9.24....

Title source: llm

Description

A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions < V10.6.22), Mendix Runtime V8 (All versions < V8.18.35), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.

References (1)

[Vendor Advisory] https://cert-portal.siemens.com/productcert/html/ssa-874353.html

Scores

CVSS v3 5.3

EPSS 0.0015

EPSS Percentile 34.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-204

Status published

Products (6)

Siemens/Mendix Runtime V10 < V10.21.0

Siemens/Mendix Runtime V10.12 < V10.12.16

Siemens/Mendix Runtime V10.18 < V10.18.5

Siemens/Mendix Runtime V10.6 < V10.6.22

Siemens/Mendix Runtime V8 < V8.18.35

Siemens/Mendix Runtime V9 < V9.24.34

Published Apr 08, 2025

Tracked Since Feb 18, 2026