CVE-2025-46294 is a vulnerability in Claris FileMaker Server that exploits the way Microsoft Internet Information Services (IIS) handles legacy 8.3 short filenames. IIS supports backward compatibility with the 8.3 filename convention, which represents long filenames in a truncated format with a tilde (~) character. Attackers can craft HTTP requests containing the tilde character to enumerate short filenames and infer the existence of files or directories on the server. This side-channel information disclosure can reveal hidden or sensitive files that might otherwise be inaccessible or unknown to an attacker. The vulnerability does not allow direct access to file contents or modification but leaks metadata about the file system structure, which can be leveraged in further attacks such as targeted reconnaissance or privilege escalation. The issue arises because IIS responds differently to requests with valid versus invalid shortname patterns, enabling attackers to distinguish existing files. Claris addressed this vulnerability in FileMaker Server version 22.0.4 by including an installer option to disable IIS short filename enumeration through the Windows registry key NtfsDisable8dot3NameCreation. Disabling 8.3 name creation prevents IIS from generating or recognizing these legacy short filenames, mitigating the attack vector. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality impact without integrity or availability effects. No known exploits have been reported in the wild, but the vulnerability poses a risk to organizations running vulnerable FileMaker Server versions on IIS, especially where sensitive data is stored. The CWE classification is CWE-200 (Information Exposure).

For European organizations, this vulnerability primarily threatens confidentiality by allowing attackers to discover the presence of files or directories that may contain sensitive information. While it does not directly compromise data integrity or availability, the information gained can facilitate more targeted attacks, such as identifying configuration files, backup files, or proprietary data stores. Organizations using Claris FileMaker Server on Microsoft IIS are at risk, particularly if they have not applied the 22.0.4 update or disabled 8.3 name creation. This could impact sectors with sensitive data such as finance, healthcare, government, and legal services. The ease of exploitation (no authentication or user interaction required) increases the risk of opportunistic scanning and reconnaissance by attackers. However, the lack of known exploits in the wild and the medium severity score suggest the immediate risk is moderate. Still, failure to mitigate could lead to information leakage that aids in subsequent attacks, potentially increasing overall organizational risk posture.

1. Upgrade Claris FileMaker Server to version 22.0.4 or later, which includes the option to disable IIS short filename enumeration. 2. Configure the Windows registry key NtfsDisable8dot3NameCreation to disable 8.3 name creation on volumes hosting FileMaker Server data, preventing IIS from generating or recognizing short filenames. 3. Review IIS server configurations to limit or block HTTP requests containing tilde (~) characters if feasible, using web application firewalls or URL filtering rules. 4. Conduct regular security audits and monitoring for unusual HTTP requests that attempt to enumerate files via shortname patterns. 5. Educate system administrators about the risks of legacy 8.3 filename support and encourage disabling it where compatibility is not required. 6. Implement network segmentation and least privilege principles to limit exposure of FileMaker Server instances to untrusted networks. 7. Maintain up-to-date backups and incident response plans to quickly address any potential exploitation attempts.