A critical security vulnerability in M-Files Server could allow authenticated attackers to capture active user session tokens via the M-Files Web interface, enabling identity impersonation and unauthorized access to sensitive information.
The flaw, tracked as CVE-2025-13008, was disclosed on December 19, 2025, and affects multiple M-Files Server versions deployed across enterprise environments.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-13008 |
| Vulnerability Type | Information Disclosure / Session Token Exposure |
| Affected Component | M-Files Web (M-Files Server) |
| Severity | High |
| CVSS 4.0 Score | 8.6 |
Vulnerability Overview
CVE-2025-13008 is an information disclosure vulnerability stemming from inadequate session token protection mechanisms in M-Files Web.
An authenticated attacker exploiting this flaw can intercept and steal session tokens of other users actively using the M-Files Web interface.
The vulnerability requires the victim to perform specific client operations, creating a window of opportunity for token capture during active sessions.
With stolen session tokens, attackers can fully impersonate legitimate users, inheriting their identity, permissions, and access rights.
This enables unauthorized viewing of confidential documents, modification of critical records, and execution of privileged actions without detection.
The attack could bypass traditional authentication controls since the attacker leverages valid session credentials rather than compromising user passwords.
The vulnerability affects M-Files Server installations running versions before 25.12.15491.7, LTS 25.8 SR3 (25.8.15085.18), LTS 25.2 SR3 (25.2.14524.14), and LTS 24.8 SR5 (24.8.13981.17).
M-Files has assigned a CVSS 4.0 base score of 8.6, indicating high severity and significant potential for breaches of confidentiality, integrity, and availability.
The flaw is categorized under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and mapped to CAPEC-60 (Reusing Session IDs/Session Replay).
While the vulnerability has not been publicly exploited and remains responsibly disclosed, the probability of future exploitation exists if organizations delay patching.
Organizations using M-Files Server must immediately upgrade to the patched versions: 25.12.15491.7 or the appropriate LTS Service Release for their deployment.
Security teams should audit M-Files Web access logs for suspicious session activity patterns and implement additional monitoring for token-based authentication anomalies until patches are fully deployed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.