CVE-2025-40592 is a path traversal vulnerability (CWE-22) affecting multiple versions of Siemens Mendix Studio Pro, a low-code development platform widely used for building enterprise applications. The vulnerability exists in the module installation process, specifically when handling ZIP files containing modules. An attacker can craft a malicious module ZIP archive with specially crafted file paths that traverse directories outside the intended project directory. When such a module is installed, the software improperly limits pathname resolution, allowing arbitrary files to be written or modified outside the developer's project directory. This can lead to unauthorized modification of files on the developer's system, potentially altering configuration files, injecting malicious code, or corrupting critical files. The vulnerability affects all versions of Mendix Studio Pro 8, 9, 10, and 11 prior to specific patch versions (e.g., versions earlier than 10.23.0 for Mendix Studio Pro 10). The CVSS 3.1 base score is 6.1 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, user interaction required, scope changed, no confidentiality impact, high integrity impact, and no availability impact. No known exploits are reported in the wild yet. The vulnerability is significant because it can be exploited by distributing malicious modules, for example via the Mendix Marketplace, which developers use to share and install modules. This supply chain vector increases the risk of widespread impact if malicious modules are published. The vulnerability requires user interaction (module installation) and has high attack complexity, limiting immediate exploitation but still posing a serious risk to development environments and the integrity of applications built with Mendix Studio Pro.

For European organizations using Mendix Studio Pro, this vulnerability poses a risk to the integrity of their development environments and the applications they build. An attacker exploiting this flaw could modify or inject malicious code into developer projects or system files, potentially leading to compromised applications deployed in production. This could result in data integrity issues, unauthorized access, or further downstream compromise of enterprise systems. Since Mendix is popular in sectors such as finance, manufacturing, and public services across Europe, the impact could extend to critical infrastructure and sensitive data environments. The supply chain nature of the threat means that even trusted module sources could be vectors for attack if compromised. Additionally, the vulnerability could disrupt development workflows and delay project timelines due to the need for remediation and forensic analysis. Although the vulnerability does not directly impact confidentiality or availability, the integrity impact is high, which can have serious consequences for trustworthiness and security of enterprise applications.

European organizations should immediately verify the versions of Mendix Studio Pro in use and upgrade to the patched versions (e.g., V10.23.0 or later for Mendix Studio Pro 10, and corresponding patched versions for other branches). Until patches are applied, organizations should restrict module installation to trusted sources only and implement strict code review and validation processes for any third-party modules. Employ sandboxing or isolated environments for module testing before integration into production projects. Monitor module repositories and developer environments for unusual file modifications or unexpected file paths. Educate developers about the risks of installing unverified modules and enforce least privilege principles on developer workstations to limit the impact of potential exploitation. Additionally, organizations should consider implementing file integrity monitoring on development systems to detect unauthorized changes promptly. Finally, coordinate with Siemens and Mendix support channels to receive timely updates and advisories.