CVE-2025-5964 is a path traversal vulnerability identified in the M-Files Server software developed by M-Files Corporation. The flaw exists in an API endpoint that fails to properly restrict pathname inputs, allowing an authenticated user to traverse directories and access files outside the intended restricted directory. This vulnerability is classified under CWE-22, which pertains to improper limitation of a pathname to a restricted directory. The issue affects versions of M-Files Server before 25.6.14925.0. The vulnerability requires the attacker to have valid authentication credentials but does not require any user interaction beyond that. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required beyond authentication (PR:L), no user interaction (UI:N), and high impact on confidentiality (VC:H) with no impact on integrity or availability. The scope is high, meaning the vulnerability affects components beyond the initially vulnerable component. Although no public exploits have been reported, the high CVSS score and the nature of the vulnerability make it a critical concern for organizations relying on M-Files Server for document management. Attackers exploiting this vulnerability could read sensitive files, potentially exposing confidential information, internal configurations, or credentials stored on the server. The vulnerability was reserved on June 10, 2025, and published on June 15, 2025, indicating recent discovery and disclosure. No patches or mitigations are currently linked, emphasizing the need for immediate vendor response and customer vigilance.

The primary impact of CVE-2025-5964 is unauthorized disclosure of sensitive information due to the ability to read arbitrary files on the M-Files Server. This can lead to exposure of confidential business documents, internal configurations, user credentials, or other sensitive data stored on the server. Such data leakage can facilitate further attacks, including privilege escalation, lateral movement, or targeted espionage. Since the vulnerability requires authentication but no user interaction, it can be exploited by any user with valid credentials, including low-privileged insiders or compromised accounts, increasing the risk of insider threats or credential abuse. The high scope impact means that the vulnerability could affect multiple components or services relying on the server, potentially amplifying damage. Organizations using M-Files Server in regulated industries (e.g., finance, healthcare, government) face compliance risks and reputational damage if sensitive data is exposed. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability’s characteristics make it a likely target for attackers once exploit code becomes available.

1. Immediately monitor for updates and patches from M-Files Corporation and apply the official patch for version 25.6.14925.0 or later as soon as it is released. 2. Restrict access to the M-Files Server API endpoints to only trusted and necessary users and systems using network segmentation and firewall rules. 3. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised credentials being used to exploit this vulnerability. 4. Conduct regular audits of user accounts and permissions to ensure that only authorized personnel have access to the server and its API. 5. Implement application-layer filtering or web application firewalls (WAFs) that can detect and block path traversal patterns in API requests. 6. Monitor server logs for unusual file access patterns or attempts to access files outside expected directories. 7. Educate administrators and users about the risks of credential compromise and the importance of secure password practices. 8. If patching is delayed, consider temporarily disabling or restricting the vulnerable API endpoints if feasible without disrupting business operations. 9. Review and harden file system permissions on the server to minimize the exposure of sensitive files even if path traversal is attempted.