CVE-2025-40758 - Vulnerability Details - OpenCVE

A vulnerability has been identified in Mendix SAML (Mendix 10.12 compatible) (All versions < V4.0.3), Mendix SAML (Mendix 10.21 compatible) (All versions < V4.1.2), Mendix SAML (Mendix 9.24 compatible) (All versions < V3.6.21). Affected versions of the module insufficiently enforce signature validation and binding checks. This could allow unauthenticated remote attackers to hijack an account in specific SSO configurations.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mendix	Mendix Saml

No data.

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-395458.html

History

Fri, 15 Aug 2025 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mendix Mendix mendix Mendix saml
Vendors & Products		Mendix Mendix mendix Mendix saml

Thu, 14 Aug 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 Aug 2025 15:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been identified in Mendix SAML (Mendix 10.12 compatible) (All versions < V4.0.3), Mendix SAML (Mendix 10.21 compatible) (All versions < V4.1.2), Mendix SAML (Mendix 9.24 compatible) (All versions < V3.6.21). Affected versions of the module insufficiently enforce signature validation and binding checks. This could allow unauthenticated remote attackers to hijack an account in specific SSO configurations.
Weaknesses		CWE-347
References		https://cert-portal.siemens.com/productcert/html/ssa-395458.html
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2025-08-14T15:06:31.691Z

Updated: 2025-08-14T15:18:47.716Z

Reserved: 2025-04-16T08:39:30.031Z

Link: CVE-2025-40758

Vulnrichment

Updated: 2025-08-14T15:18:42.745Z

NVD

Status : Awaiting Analysis

Published: 2025-08-14T15:15:36.133

Modified: 2025-08-15T13:12:51.217

Link: CVE-2025-40758

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-40758", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "state": "PUBLISHED", "assignerShortName": "siemens", "dateReserved": "2025-04-16T08:39:30.031Z", "datePublished": "2025-08-14T15:06:31.691Z", "dateUpdated": "2025-08-14T15:18:47.716Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2025-08-14T15:06:31.691Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix SAML (Mendix 10.12 compatible) (All versions < V4.0.3), Mendix SAML (Mendix 10.21 compatible) (All versions < V4.1.2), Mendix SAML (Mendix 9.24 compatible) (All versions < V3.6.21). Affected versions of the module insufficiently enforce signature validation and binding checks. This could allow unauthenticated remote attackers to hijack an account in specific SSO configurations."}], "affected": [{"vendor": "Siemens", "product": "Mendix SAML (Mendix 10.12 compatible)", "versions": [{"status": "affected", "version": "0", "lessThan": "V4.0.3", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix SAML (Mendix 10.21 compatible)", "versions": [{"status": "affected", "version": "0", "lessThan": "V4.1.2", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix SAML (Mendix 9.24 compatible)", "versions": [{"status": "affected", "version": "0", "lessThan": "V3.6.21", "versionType": "custom"}], "defaultStatus": "unknown"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-395458.html"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-14T15:18:38.766906Z", "id": "CVE-2025-40758", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-14T15:18:47.716Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-40758", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-14T15:18:38.766906Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-14T15:18:42.745Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"}}], "affected": [{"vendor": "Siemens", "product": "Mendix SAML (Mendix 10.12 compatible)", "versions": [{"status": "affected", "version": "0", "lessThan": "V4.0.3", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix SAML (Mendix 10.21 compatible)", "versions": [{"status": "affected", "version": "0", "lessThan": "V4.1.2", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix SAML (Mendix 9.24 compatible)", "versions": [{"status": "affected", "version": "0", "lessThan": "V3.6.21", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-395458.html"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix SAML (Mendix 10.12 compatible) (All versions < V4.0.3), Mendix SAML (Mendix 10.21 compatible) (All versions < V4.1.2), Mendix SAML (Mendix 9.24 compatible) (All versions < V3.6.21). Affected versions of the module insufficiently enforce signature validation and binding checks. This could allow unauthenticated remote attackers to hijack an account in specific SSO configurations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2025-08-14T15:06:31.691Z"}}}, "cveMetadata": {"cveId": "CVE-2025-40758", "state": "PUBLISHED", "dateUpdated": "2025-08-14T15:18:47.716Z", "dateReserved": "2025-04-16T08:39:30.031Z", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "datePublished": "2025-08-14T15:06:31.691Z", "assignerShortName": "siemens"}, "dataVersion": "5.1"}