CVE-2025-40592
MEDIUMMendix Studio Pro <10.23.0, <10.12.17, <10.18.7, <10.6.24, <11.0.0,...
Title source: llmDescription
A vulnerability has been identified in Mendix Studio Pro 10 (All versions < V10.23.0), Mendix Studio Pro 10.12 (All versions < V10.12.17), Mendix Studio Pro 10.18 (All versions < V10.18.7), Mendix Studio Pro 10.6 (All versions < V10.6.24), Mendix Studio Pro 11 (All versions < V11.0.0), Mendix Studio Pro 8 (All versions < V8.18.35), Mendix Studio Pro 9 (All versions < V9.24.35). A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.
References (1)
Core 1
Core References
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-627195.html
Scores
CVSS v3
6.1
EPSS
0.0022
EPSS Percentile
44.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (7)
Siemens/Mendix Studio Pro 10
< V10.23.0
Siemens/Mendix Studio Pro 10.12
< V10.12.17
Siemens/Mendix Studio Pro 10.18
< V10.18.7
Siemens/Mendix Studio Pro 10.6
< V10.6.24
Siemens/Mendix Studio Pro 11
< V11.0.0
Siemens/Mendix Studio Pro 8
< V8.18.35
Siemens/Mendix Studio Pro 9
< V9.24.35
Published
Jun 12, 2025
Tracked Since
Feb 18, 2026