An information disclosure vulnerability in M-Files Server enables authenticated attackers to capture and reuse session tokens from active users. Potentially gaining unauthorized access to sensitive document management systems.
The flaw, tracked as CVE-2025-13008, affects multiple versions across different release branches and carries a high-severity CVSS 4.0 base score of 8.6.
The vulnerability exists within M-Files Web and requires the attacker to have legitimate authentication credentials.
Once authenticated, an attacker can intercept session tokens of other actively connected users while they perform specific client operations.
By obtaining these tokens, threat actors can impersonate legitimate users and execute actions in their name and with their permissions.
Including accessing confidential documents and potentially modifying critical information.
The flaw is classified as CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). It represents a session replay scenario per CAPEC-60.
The attack requires user interaction and network accessibility, making it a practical threat in connected environments.
Affected Versions
Organizations running the following M-Files Server versions are vulnerable and should prioritize patching:
| Release Branch | Vulnerable Versions | Patched Version |
|---|---|---|
| Current Release | Before 25.12.15491.7 | 25.12.15491.7 |
| LTS 25.8 | Before SR3 | 25.8.15085.18 (SR3) |
| LTS 25.2 | Before SR3 | 25.2.14524.14 (SR3) |
| LTS 24.8 | Before SR5 | 24.8.13981.17 (SR5) |
M-Files has released patched versions addressing this vulnerability. The company received responsible vulnerability disclosure, and no public exploits currently exist.
However, the low probability of exploitation designation should not diminish the urgency of patching.
Given the high-impact nature of successful attacks, unauthorized document access, and potential lateral movement within enterprise systems.
Organizations should prioritize testing and deploying patches across all affected M-Files Server instances.
Simultaneously, security teams should monitor access logs for suspicious user activity that indicates token theft or unauthorized account use.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
