CVE-2025-2091 is an open redirect vulnerability classified under CWE-601 found in M-Files Mobile applications for Android and iOS prior to version 25.6.0. Open redirection occurs when an application accepts untrusted input that causes it to redirect users to external, potentially malicious websites. In this case, attackers can embed maliciously crafted PDF files that exploit the vulnerability by causing the M-Files Mobile app to redirect users to attacker-controlled URLs. This redirection can be used for phishing attacks, social engineering, or to deliver malware payloads by leveraging the trust users place in the M-Files Mobile app environment. The vulnerability does not require authentication but does require user interaction (opening the malicious PDF). The CVSS 4.8 score indicates a medium severity, reflecting that while the vulnerability can be exploited remotely without privileges, the impact on confidentiality, integrity, and availability is limited primarily to user deception and potential indirect compromise. No public exploits have been reported to date. The vulnerability was reserved in March 2025 and published in June 2025. M-Files Corporation has addressed this issue in version 25.6.0 of their mobile app, though no direct patch links are provided in the source data.

The primary impact of this vulnerability is on user trust and potential exposure to phishing or malware delivery through trusted enterprise applications. Organizations using M-Files Mobile risk their users being redirected to malicious sites, which could lead to credential theft, unauthorized access, or further compromise of enterprise systems if users are tricked into divulging sensitive information or downloading malware. While the vulnerability does not directly compromise the M-Files Mobile app’s confidentiality or integrity, the indirect effects can be significant, especially in environments where M-Files is used for sensitive document management. The requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in targeted attacks or spear-phishing campaigns. This vulnerability could affect industries relying heavily on M-Files Mobile for document workflows, including finance, healthcare, legal, and government sectors.

Organizations should immediately upgrade M-Files Mobile applications on all Android and iOS devices to version 25.6.0 or later, where the vulnerability is fixed. Additionally, implement strict email and document scanning policies to detect and block malicious PDFs before they reach end users. User awareness training should emphasize caution when opening PDFs from untrusted or unexpected sources, especially within enterprise mobile environments. Consider deploying mobile threat defense (MTD) solutions that can detect suspicious redirection behaviors or block access to known malicious URLs. Where possible, configure M-Files Mobile and associated systems to restrict or validate URLs before redirection occurs. Monitoring and logging user access patterns for unusual redirection events can help detect exploitation attempts. Finally, coordinate with M-Files support for any additional recommended security configurations or patches.