CVE-2025-46294 is a security vulnerability affecting Claris FileMaker Server installations that utilize Microsoft Internet Information Services (IIS) web server. The root cause lies in IIS's legacy support for 8.3 short filenames, a backward compatibility feature that generates abbreviated filenames (e.g., 'PROGRA~1' for 'Program Files'). Attackers can exploit this behavior by crafting HTTP requests containing the tilde (~) character followed by partial filenames to enumerate the presence of files or directories on the server. This side-channel information disclosure allows attackers to map the server's file system structure, potentially identifying sensitive or hidden files that could be leveraged in further attacks. The vulnerability does not directly allow code execution or privilege escalation but facilitates reconnaissance. Claris addressed this issue in FileMaker Server version 22.0.4 by including an option in the installer to disable IIS short filename enumeration through the Windows registry key NtfsDisable8dot3NameCreation. Disabling this feature prevents IIS from responding to requests that exploit the 8.3 filename enumeration, effectively mitigating the vulnerability. No public exploits have been reported to date, and the affected versions are unspecified, implying that all versions prior to 22.0.4 may be vulnerable if IIS is used. The vulnerability highlights the risks of legacy features in modern environments and the importance of disabling unnecessary backward compatibility options.

For European organizations, the primary impact of CVE-2025-46294 is unauthorized information disclosure. By enumerating files and directories, attackers can gain insights into the server's structure, potentially identifying sensitive configuration files, backup files, or other data that could facilitate further exploitation or data breaches. This reconnaissance capability can increase the likelihood of successful targeted attacks, including privilege escalation or data exfiltration. Organizations relying on FileMaker Server for critical business applications, especially those integrated with IIS, may face increased risk of exposure of intellectual property or personal data, which could lead to regulatory non-compliance under GDPR. Although the vulnerability does not directly compromise system integrity or availability, the information leakage can be a stepping stone for more severe attacks. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits following public vulnerability disclosures.

European organizations should take the following specific steps to mitigate CVE-2025-46294: 1) Upgrade all FileMaker Server instances to version 22.0.4 or later, which includes the fix to disable IIS short filename enumeration. 2) Manually verify and set the Windows registry key NtfsDisable8dot3NameCreation to disable 8.3 name creation on volumes hosting FileMaker Server data and IIS web content. This can be done via the command line or Group Policy for multiple systems. 3) Audit IIS configurations to ensure legacy features like 8.3 filename support are disabled where not required. 4) Implement strict access controls and monitoring on FileMaker Server and IIS logs to detect unusual requests containing tilde characters or suspicious enumeration patterns. 5) Conduct internal penetration testing focusing on file enumeration techniques to validate the effectiveness of mitigations. 6) Educate system administrators about the risks of legacy compatibility features and the importance of minimizing attack surface by disabling unnecessary options. 7) Maintain up-to-date backups and incident response plans in case of exploitation attempts. These targeted actions go beyond generic patching and help reduce exposure to this specific vulnerability.