Warning: Information disclosure vulnerability in M-Files Server, Patch Immediately!

• Last update: 24/12/2025
• Affected software: versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5
• Type: CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor)
• CVE/CVSS
  → CVE-2025-13008: CVSS 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

M-Files - https://product.m-files.com/security-advisories/cve-2025-13008/

Risks

Authenticated M-Files web users can impersonate other users to perform actions on the server using their users' identities and permissions. This can lead to unauthorised changes to files under other users’ identities, making it harder to identify the user responsible for the change. Attackers can exploit this vulnerability to escalate their privileges and perform actions on the server without being directly detected. This vulnerability has a high impact on the confidentiality, integrity and availability of the vulnerable system.

Description

The vulnerability exists specifically in M-Files Web and requires an authenticated user. The victim must be using M-Files Web and perform specific client operations. An attacker could obtain other users' session tokens to impersonate them and perform actions on their behalf.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.