An insider-driven token disclosure flaw that enables full user impersonation without passwords or alerts
Vulnerability Snapshot
| Field | Details |
|---|---|
| CVE ID | CVE-2025-13008 |
| Vulnerability Name | Session Token Disclosure in M-Files Web |
| CVSS 4.0 Score | 8.6 (HIGH) |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Severity | HIGH |
| Exploit Availability | No public exploit available (responsibly disclosed) |
| Exploitability | Low probability – requires authenticated access |
| Active Exploitation | No known exploitation in the wild |
| Disclosure Date | December 19, 2025 |
| Vendor | M-Files Corporation |
| Affected Product | M-Files Server (Web Interface) |
What’s the Deal with This Vulnerability?
This issue is not a classic “external attacker breaks in from the internet” scenario. The real risk here comes from inside the organization.
Any user with valid M-Files credentials can potentially intercept active session tokens belonging to other users who are currently working in the M-Files Web interface. Once a session token is obtained, the attacker effectively becomes the victim from the server’s perspective.
With a stolen token, the attacker can:
- Access the victim’s vaults
- View confidential or sensitive documents
- Modify records and metadata
- Perform actions using the victim’s permissions
No password is required, and no re-authentication occurs. From the system’s point of view, everything looks legitimate because the session credentials are valid. As a result, traditional authentication controls and login monitoring provide little to no warning.
Technical Classification (MITRE Mapping)
| Classification | Details |
|---|---|
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor – Session tokens are not sufficiently protected, allowing unauthorized access. |
| CAPEC-60 | Reusing Session IDs (Session Replay) – A valid session identifier is captured and reused to impersonate another user. |
| ATT&CK T1550.001 | Use Alternate Authentication Material: Application Access Token – Stolen tokens are used instead of credentials. |
| ATT&CK T1550.004 | Use Alternate Authentication Material: Web Session Cookie – Session cookies are leveraged to bypass authentication. |
How Could This Be Exploited?
In simple terms, an attack could unfold as follows:
- Attacker logs in legitimately
The attacker already has a valid M-Files account (for example, a malicious insider, contractor, or compromised user). - Victim is actively working
Another user is using M-Files Web and performing specific client-side operations. - Session token interception occurs
Due to insufficient session token protection in M-Files Web, the attacker is able to capture the victim’s active session token. - Identity takeover
Using the stolen token, the attacker impersonates the victim and gains access to all vaults, documents, and actions allowed by the victim’s role. - No alarms are triggered
Since no password guessing or authentication bypass occurs, logs show legitimate session activity rather than an intrusion attempt.
Important caveat:
The victim must be actively performing certain operations in M-Files Web for the attack window to exist. This is not a passive, always-on token harvesting flaw. However, in organizations where users remain logged in for long periods throughout the day, the practical exposure window can still be significant.
Which Versions Are Affected?
You are vulnerable if your environment is running any of the following versions:
- M-Files Server before 25.12.15491.7
- M-Files Server before LTS 25.8 SR3 (25.8.15085.18)
- M-Files Server before LTS 25.2 SR3 (25.2.14524.14)
- M-Files Server before LTS 24.8 SR5 (24.8.13981.17)
Proof of Concept (PoC) Status
There is currently no public proof-of-concept available. This vulnerability was responsibly disclosed, and no exploit code has been released.
That said, session token interception is a well-understood technique. A capable attacker could develop their own exploit based solely on the technical description. While M-Files rates the likelihood of exploitation as LOW, this should not be interpreted as low risk. The potential impact is severe, and patching should not be delayed.
How to Detect Exploitation Attempts
Key Indicators to Hunt For
Monitor your environment for the following red flags:
- Concurrent sessions from different IP addresses
The same user account active from multiple IPs at the same time, especially when one IP is unfamiliar. - Impossible travel scenarios
Sessions originating from geographically distant locations within an unrealistic timeframe (e.g., New York and Tokyo within minutes). - Unusual access patterns
A user suddenly accessing vaults or documents they have never interacted with before, particularly sensitive content. - Session anomalies
Sudden changes in user-agent strings, browser fingerprints, or device characteristics during an active session. - Privilege misuse indicators
Actions that align with the victim’s permissions but match the attacker’s typical behavioral patterns.
Log Sources to Monitor
| Log Source | What to Look For |
|---|---|
| M-Files Vault Event Log | Login events, document access, object modifications. Enable Advanced Event Logging if available. |
| M-Files Server Activity Monitor | Active sessions, vault connections, user operations. Export data (JSON) for SIEM ingestion. |
| IIS Logs (Web Server) | HTTP requests, session cookies, source IPs, and user-agent strings. Watch for session ID reuse across IPs. |
| Network Traffic Logs | Session token patterns and unusual connection behavior to M-Files Web endpoints. |
| SIEM / XDR Platform | Correlate M-Files logs with endpoint and network data to identify anomalies. |
Detection Rule Logic (Pseudo-code)
// Concurrent Session Detection
IF user.session_id = active_session.id
AND source_ip != original_session.ip
AND time_difference < 5 minutes
THEN alert('Possible Session Hijacking - CVE-2025-13008')
SOC Action Items – What to Do Right Now
Immediate Actions
- Identify all M-Files Server deployments
Coordinate with IT and infrastructure teams to inventory all installations and versions. - Prioritize patching
Upgrade immediately to 25.12.15491.7 or the appropriate patched LTS release. - Audit existing sessions
Review historical and current M-Files Web access logs for signs of session hijacking. - Enable enhanced logging
Activate Advanced Event Logging and User Action Logs to improve visibility.
Compensating Controls (Until Patched)
- IP-based session binding
Where feasible, bind sessions to known IP ranges or subnets. - Reduce session timeouts
Shorten idle session lifetimes to limit token exposure. - User awareness
Encourage users to log out when not actively using M-Files Web. - Network segmentation
Restrict M-Files Web access to trusted network zones whenever possible.
Related Vulnerability: CVE-2025-14267
M-Files also disclosed a second issue during the same timeframe:
| Field | Details |
|---|---|
| CVE ID | CVE-2025-14267 |
| Vulnerability Name | Improper Temporary Cached Data in Structure-Only Vault Copy |
| CVSS 4.0 Score | 5.6 (MEDIUM) |
| CWE | CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer |
| CAPEC | CAPEC-410: Information Elicitation |
What happens:
When an administrator copies a vault using the “metadata structure only” option, cached activity data is not fully cleaned. This may expose file names, user names, and comments from the source vault.
Affected Versions:
- M-Files Server before 25.12.15491.7
Good news:
Upgrading to the patched version automatically removes the cached data during the database update. No additional remediation is required beyond patching.
Official Patch Information
Patched versions are available from official M-Files sources:
- M-Files Product Downloads:
https://product.m-files.com/downloads/ - CVE-2025-13008 Advisory:
https://product.m-files.com/security-advisories/cve-2025-13008/ - CVE-2025-14267 Advisory:
https://product.m-files.com/security-advisories/cve-2025-14267/
Bottom Line
CVE-2025-13008 represents a high-severity insider threat that allows authenticated users to hijack active sessions and fully impersonate other users. While no public exploit currently exists and the likelihood of exploitation is rated low, the impact is severe: complete identity impersonation with all associated privileges.
A fix is available, and delaying patching only increases risk as technical details are now public.
⚠ Priority: Patch M-Files Server immediately. Actively monitor for suspicious session behavior and apply compensating controls if patching cannot be performed right away.
