Identity Theft in M-Files: High-Severity Flaw Lets Insiders Hijack User Accounts and Access Sensitive Data

M-Files, the intelligent information management platform used by enterprises to organize their documents, has issued a security advisory addressing two distinct vulnerabilities. The most critical of the pair could allow a malicious insider to silently steal the digital identities of colleagues, granting them full access to sensitive data under the guise of another user.

The two vulnerabilities, tracked as CVE-2025-13008 and CVE-2025-14267, expose organizations to risks ranging from session hijacking to inadvertent data leaks.

The headline threat is CVE-2025-13008, a high-severity vulnerability with a CVSS score of 8.6. This “Session Token Disclosure” flaw strikes at the heart of user authentication in the M-Files Web interface.

The vulnerability is particularly dangerous because it does not require a complex external hack. Instead, it allows an authenticated attacker—someone who already has valid access to the system—to capture the active session tokens of other users.

“An attacker could obtain session tokens of other users to impersonate them and perform actions with their identity and permissions,” the advisory warns.

Once a session token is stolen, the attacker effectively becomes the victim in the eyes of the server. They can navigate vaults, view confidential documents, and perform actions with the victim’s privileges, bypassing standard access logs that would otherwise flag the activity as suspicious.

This flaw affects M-Files Server versions prior to 25.12.15491.7, as well as several Long Term Support (LTS) releases including 25.8 LTS SR3, 25.2 LTS SR3, and 24.8 LTS SR5.

The second vulnerability, CVE-2025-14267, is a moderate-severity issue (CVSS 5.6).

This flaw occurs when an administrator attempts to create a copy of a document vault using the “metadata structure only” option—essentially trying to copy the filing cabinet structure without the files inside . However, due to a failure to scrub temporary cache data, information from the source vault can bleed into the new copy.

“The data could have included possibly sensitive data or data categorized as PII, such as file names, user names and comments,” the report states.

This manifests strangely for users: random activity feed data from the original vault might suddenly appear on objects in the new vault, potentially revealing the existence of confidential files or discussions to users who shouldn’t see them.

M-Files Corporation has released updates to close both security gaps. Administrators are urged to upgrade their M-Files Server to version 25.12.15491.7 or newer immediately.

Related Posts:

• CVE-2024-10126 & CVE-2024-10127: M-Files Addresses File Inclusion and Authentication Bypass Flaws
• Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution
• Azure Key Vault Vulnerability: Exploiting Role Misconfigurations for Privilege Escalation
• Windows 11 Tests New PC-to-PC Migration: Seamless File Transfers, But Apps Still a Manual Task
• Windows 11 Gets “Shared Audio”: Play Sound Through Multiple Devices Simultaneously