Publication Date:
Last Update:
Current Version: V1.2
CVSS v3.1 Base Score: 6.8
Affected Product and Versions Remediation

All versions < V7.23.29
affected by all CVEs
Update to V7.23.29 or later version and redeploy your application

All versions < V8.18.16
affected by all CVEs
Update to V8.18.16 or later version and redeploy your application

All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False
affected by all CVEs
For versions < V9.13: Set Runtime Custom Setting DataStorage.UseNewQueryHandler to True or remove the custom setting. The value is set to True by default (see
Update to V9.13 or later version and redeploy your application

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:, and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

CVSS v3.1 Base Score 6.8
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
CWE CWE-284: Improper Access Control
V1.0 (2022-03-08): Publication Date
V1.1 (2022-04-12): Summary update; Default configuration for Mendix 9 is not affected; CVSS vector review
V1.2 (2024-05-14): Added additional fix information for Mendix 9: in versions >= V9.13 the vulnerable configuration is no longer available