CVE-2025-13008 is an information disclosure vulnerability classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) affecting M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3, and 24.8 LTS SR5. The flaw allows an authenticated attacker who can access the M-Files Web interface to capture session tokens belonging to other active users. Session tokens are critical for maintaining authenticated sessions; if compromised, they can be used to impersonate legitimate users without needing their credentials. The vulnerability has a CVSS v4.0 base score of 8.6, reflecting high severity due to network attack vector, low attack complexity, no privileges required beyond authentication, and the potential for high confidentiality, integrity, and availability impact. The vulnerability does not require special privileges but does require user interaction, likely involving the attacker interacting with the web interface to capture tokens. No known exploits have been reported in the wild, but the risk remains significant given the nature of session token theft. The vulnerability stems from insufficient protection of session tokens within the M-Files Web environment, potentially due to inadequate session isolation or token handling mechanisms. M-Files Server is widely used for document management in enterprises, making this vulnerability critical for organizations relying on it for secure information handling.

If exploited, this vulnerability could allow attackers to hijack active user sessions by capturing their session tokens. This can lead to unauthorized access to sensitive documents and data managed by M-Files Server, potentially resulting in data breaches, intellectual property theft, and disruption of business operations. The attacker could perform actions with the same privileges as the compromised user, including viewing, modifying, or deleting documents. Given the high confidentiality, integrity, and availability impact, organizations could face regulatory penalties, reputational damage, and operational downtime. The requirement for authentication lowers the attack barrier but still poses a significant threat, especially in environments where user credentials are widely available or weakly protected. The lack of known exploits in the wild suggests limited current exploitation but also indicates the need for proactive mitigation before attackers develop weaponized exploits. Organizations with large user bases or those handling sensitive or regulated data are particularly at risk.

Organizations should immediately plan to upgrade M-Files Server to the fixed versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3, or 24.8 LTS SR5 once patches are released. In the interim, restrict access to M-Files Web interfaces to trusted networks and users only, and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of attacker authentication. Monitor active sessions for unusual activity and consider implementing session timeout policies to limit token validity periods. Employ network segmentation and web application firewalls to detect and block suspicious requests targeting session management endpoints. Educate users about phishing and social engineering risks that could facilitate attacker authentication. Review and harden session management configurations, including secure cookie flags (HttpOnly, Secure, SameSite) and token storage practices. Conduct regular audits of user sessions and logs to identify potential token theft attempts. Finally, maintain an incident response plan to quickly address any detected compromise related to session hijacking.