CVE-2025-40592
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-12

Last updated on: 2025-07-08

Assigner: Siemens AG

Description
A vulnerability has been identified in Mendix Studio Pro 10 (All versions < V10.23.0), Mendix Studio Pro 10.12 (All versions < V10.12.17), Mendix Studio Pro 10.18 (All versions < V10.18.7), Mendix Studio Pro 10.6 (All versions < V10.6.24), Mendix Studio Pro 11 (All versions < V11.0.0), Mendix Studio Pro 8 (All versions < V8.18.35), Mendix Studio Pro 9 (All versions < V9.24.35). A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-12
Last Modified
2025-07-08
Generated
2026-05-07
AI Q&A
2025-06-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40592
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a zip path traversal issue in Mendix Studio Pro's module installation process. It allows an attacker to craft a malicious module that, when installed (for example, via the Mendix Marketplace), can write or modify arbitrary files outside the intended project directory. This means the attacker can potentially alter files anywhere on the system accessible by the software, leading to unauthorized file changes. [1]


How can this vulnerability impact me? :

The vulnerability can impact you by allowing an attacker to modify or write arbitrary files outside your project directory, which could lead to unauthorized changes in your development environment or system. This could result in compromised project integrity, potential execution of malicious code, or disruption of your development process. If malicious modules were installed before applying fixes, your system might already be affected. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves reviewing installed Mendix Studio Pro modules for suspicious or untrusted modules that could exploit the zip path traversal vulnerability. Since the vulnerability allows arbitrary file writes outside the project directory during module installation, monitoring file system changes outside expected directories after module installations may help. Specific commands are not provided in the resources, but users should audit installed modules and check for unexpected file modifications or creations outside the project directory. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating Mendix Studio Pro to the fixed versions specified (e.g., 8.18.35, 9.24.35, 10.23.0, 10.6.24, 10.12.17, 10.18.7) or later. For versions without available fixes (such as Mendix Studio Pro 11), avoid installing untrusted or unverified modules. Additionally, protect network access with appropriate security mechanisms and configure environments according to Siemens' operational guidelines for Industrial Security. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart