A critical security advisory (ICSA-26-188-04) has been released regarding Siemens Mendix Studio Pro, a low-code development platform widely used for enterprise application development. The advisory reveals a file parsing vulnerability affecting versions prior to V11.12.
This is not a theoretical risk. The vulnerability is triggered when the application reads a "specially crafted malicious project" during the build pipeline. For organizations leveraging Mendix for CI/CD or internal development tools, this represents a high-impact vector: a compromised project file checked into a repository or shared via email can lead to arbitrary code execution (RCE) in the context of the user running the build. Defenders must immediately identify vulnerable instances and enforce patching to prevent potential supply-chain compromises.
Technical Analysis
Affected Products:
- Siemens Mendix Studio Pro 10.11 (all versions)
- Siemens Mendix Studio Pro 10.12 (all versions)
- Siemens Mendix Studio Pro 10.13 (all versions)
- Siemens Mendix Studio Pro 10.14 (all versions)
- Siemens Mendix Studio Pro 10.15 (all versions)
Vulnerability Mechanism:
The flaw resides in the file parsing logic of Mendix Studio Pro. When a developer or build agent opens a malicious project file—typically with an .mpr extension—the application improperly parses the data structure. This parsing error can corrupt memory and allow an attacker to hijack the execution flow.
Attack Chain:
- Initial Access: An attacker introduces a malicious project file into the target environment (e.g., a malicious git pull request, a phishing email with an attachment, or a compromised shared network drive).
- Trigger: A victim user or automated build pipeline opens the project using a vulnerable version of Mendix Studio Pro.
- Execution: The parsing vulnerability triggers, executing arbitrary code.
- Impact: Code runs in the context of the logged-in user. If the user is a developer or admin, the attacker gains immediate access to source code, credentials, and potentially the broader build infrastructure.
Exploitation Status: While specific exploit code (PoC) details are not fully disclosed in the advisory, Siemens and CISA have deemed the risk significant enough to urge immediate updates. Given the prevalence of low-code platforms in critical infrastructure and enterprise sectors, this is a prime target for supply-chain attacks.
Detection & Response
Detecting the exploitation of a file parsing vulnerability requires monitoring for anomalous process behavior. Since the attack results in RCE, the most reliable signal is the vulnerable application spawning unexpected child processes (e.g., cmd.exe, powershell.exe) that are not part of the standard developer workflow.
SIGMA Rules
---
title: Potential Exploitation of Mendix Studio Pro File Parsing Vulnerability
id: 8a1c2b3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects potential arbitrary code execution via Mendix Studio Pro by monitoring for suspicious child process spawns.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-04
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1203
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\MendixStudioPro.exe'
- '\Mendix Modeler.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate developer debugging or build scripts invoking shell commands
level: high
---
title: Mendix Studio Pro Accessing Suspicious File Locations
id: 9b2d3c4e-5f6a-7890-1b2c-3d4e5f67890a
status: experimental
description: Detects Mendix Studio Pro reading project files from potentially untrusted directories like Downloads or temporary internet folders.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-04
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1193
logsource:
category: file_access
product: windows
detection:
selection:
Image|endswith:
- '\MendixStudioPro.exe'
TargetFilename|contains:
- '\Downloads\'
- '\AppData\Local\Temp\'
- '\Public\'
TargetFilename|endswith:
- '.mpr'
condition: selection
falsepositives:
- Developers opening projects legitimately stored in backup or temp folders
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for Mendix Studio Pro spawning suspicious child processes
DeviceProcessEvents
| where InitiatingProcessFileName has "Mendix"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Mendix Studio Pro processes spawning shells
SELECT Pid, Name, CommandLine, ParentPid
FROM pslist()
WHERE Name in ("cmd.exe", "powershell.exe", "pwsh.exe")
AND ParentPid IN (
SELECT Pid FROM pslist() WHERE Name =~ "MendixStudioPro"
)
Remediation Script (PowerShell)
This script checks the version of Mendix Studio Pro installed on the system and compares it against the fixed version (11.12.0).
# Check for vulnerable Mendix Studio Pro versions
$FixedVersion = [version]"11.12.0.0"
$VulnerableFound = $false
# Common installation paths for Mendix Studio Pro
$Paths = @(
"${env:ProgramFiles}\Mendix\Mendix Studio Pro\MendixStudioPro.exe",
"${env:ProgramFiles(x86)}\Mendix\Mendix Studio Pro\MendixStudioPro.exe",
"${env:LocalAppData}\Programs\Mendix\Mendix Studio Pro\MendixStudioPro.exe"
)
foreach ($Path in $Paths) {
if (Test-Path $Path) {
$FileProps = Get-Item $Path
$CurrentVersion = $FileProps.VersionInfo.FileVersion
# Convert to version object for comparison
try {
$VersionObj = [version]$CurrentVersion
if ($VersionObj -lt $FixedVersion) {
Write-Host "[ALERT] Vulnerable Mendix Studio Pro found at: $Path" -ForegroundColor Red
Write-Host "Current Version: $CurrentVersion (Fixed Version: $FixedVersion)" -ForegroundColor Red
$VulnerableFound = $true
}
else {
Write-Host "[OK] Mendix Studio Pro at $Path is patched (Version: $CurrentVersion)" -ForegroundColor Green
}
}
catch {
Write-Host "[WARN] Could not parse version for $Path" -ForegroundColor Yellow
}
}
}
if (-not $VulnerableFound) {
Write-Host "No vulnerable installations of Mendix Studio Pro detected in standard paths."
}
Remediation
Immediate Action:
- Update: Update Mendix Studio Pro to version V11.12 or the latest available release immediately.
- Verify: Run the PowerShell script above across all developer workstations and build servers to confirm patch status.
- Scan Code Repositories: If your organization utilizes shared code repositories, audit recent
.mprproject file commits for anomalies, particularly from untrusted third-party contributors.
Vendor Advisory: Refer to the official Siemens ProductCERT advisory for detailed download links and specific version fixes:
Workarounds: If immediate patching is not possible, restrict the use of Mendix Studio Pro to trusted environments only. Do not open project files from unknown or untrusted sources. Developers should be instructed to verify the integrity of project files before loading them into the IDE.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.