M Files Server
CVE-2025-0619
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
AnalysisAI
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords Affected products include: M-Files M-Files Server. Version information: before 25.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.
More in M Files Server
View allLack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authe
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLD
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specif
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 2
Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0. Rated high severity (
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allow
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API me
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonym
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle
Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive
Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated r
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today