CVE-2025-13008 is an information disclosure vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3, and 24.8 LTS SR5. The flaw allows an authenticated attacker who has access to M-Files Web to capture session tokens belonging to other active users. Session tokens are critical for maintaining authenticated sessions; if compromised, an attacker can hijack user sessions and gain unauthorized access to sensitive documents and data managed by M-Files Server. The vulnerability does not require elevated privileges beyond authentication but does require user interaction, such as accessing the web interface. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and user interaction required (UI:P). The impact on confidentiality, integrity, and availability is high, as session token compromise can lead to unauthorized data access and potential manipulation or disruption of services. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk if weaponized. The vulnerability affects multiple supported versions of M-Files Server, a widely used enterprise document management system, making it relevant to organizations relying on this product for secure document workflows.

For European organizations, the impact of CVE-2025-13008 is substantial due to the potential for unauthorized access to sensitive corporate and personal data managed within M-Files Server environments. Confidentiality breaches could expose private personal information and intellectual property, leading to regulatory non-compliance under GDPR and other data protection laws. Integrity and availability impacts could disrupt business operations reliant on document management workflows. Attackers leveraging stolen session tokens could impersonate legitimate users, escalate privileges, or exfiltrate data without detection. This risk is heightened in sectors with stringent data security requirements such as finance, healthcare, government, and critical infrastructure. The vulnerability's exploitation could also damage organizational reputation and result in financial penalties. Given the low complexity of exploitation and the widespread use of M-Files in Europe, the threat poses a meaningful risk to enterprise environments if patches are not applied promptly.

1. Immediately apply the security updates provided by M-Files Corporation for versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3, and 24.8 LTS SR5 or later to remediate the vulnerability. 2. Enforce strict session management policies, including short session timeouts and automatic invalidation of sessions after logout or inactivity. 3. Implement multi-factor authentication (MFA) for all M-Files Web access to reduce the risk of session hijacking. 4. Monitor and audit session token usage and access logs for unusual patterns indicative of token theft or session hijacking attempts. 5. Restrict access to M-Files Web interfaces via network segmentation and IP whitelisting where feasible. 6. Educate users about phishing and social engineering risks that could facilitate session token compromise. 7. Employ web application firewalls (WAFs) with rules tuned to detect anomalous session token activities. 8. Regularly review and update access controls and permissions within M-Files to minimize exposure. These steps go beyond generic advice by focusing on session security hardening and proactive monitoring tailored to this vulnerability's exploitation vector.