CVE-2025-0619: Unsafe stored password recovery

DESCRIPTION

Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords.

AFFECTED PRODUCTS

M-Files Server before 25.1.14445.5

MORE INFORMATION

System admin or vault admin user could recover external connector password. Users of this level are highly privileged and can already set the password, but the recovery is not allowed.

Note: This vulnerability does NOT affect any other type of user or administrative passwords. EOT connectors are not used by default. The effect of this vulnerability is essentially a situation where multiple admin users exist on the same M-Files Vault and have varying privileges to external systems where EOT is connected to.

CVSS 4.0 CVSS-B Score: 4.6

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

CWE: CWE-522: Insufficiently Protected Credentials

CAPEC: CAPEC-212: Functionality Misuse

Internal ID: DXR-88

Date issued: 2025-01-23

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2025-0619

HISTORY

2025-01-23 Published
2025-01-24 Updated section “More information” with clear scope of the vulnerability.

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X