### #MFilesSecurity #InfoManagementRisks #VulnerabilityMitigation
Summary: M-Files has issued critical security updates to address two vulnerabilities in its server software that could potentially expose sensitive files or allow unauthorized access. Users are strongly advised to upgrade to version 24.11 or later to safeguard against these threats.
Threat Actor: Unknown | unknown
Victim: M-Files | M-Files
Key Point :
- Two vulnerabilities identified: CVE-2024-10126 (local file inclusion) and CVE-2024-10127 (authentication bypass).
- CVE-2024-10126 allows authenticated users to read sensitive files on the server.
- CVE-2024-10127 enables unauthorized access if LDAP is misconfigured for anonymous binding.
- M-Files recommends updating to version 24.11 or later to mitigate these risks.
M-Files, a leading provider of information management solutions, has released security updates to address two vulnerabilities in its server software. The vulnerabilities, identified as CVE-2024-10126 and CVE-2024-10127, could allow attackers to read sensitive files or bypass authentication under certain conditions.
CVE-2024-10126 (CVSSv4 5.3) is a local file inclusion vulnerability that could allow an authenticated user to access files on the server. This vulnerability exists in M-Files Server versions before 24.11 (excluding 24.8 SR1, 24.2 SR3, and 23.8 SR7). As stated in the advisory, the vulnerability allows an attacker to “read server local files of a limited set of filetypes via document preview.”
CVE-2024-10127 (CVSSv4 9.2) is an authentication bypass vulnerability that affects M-Files Server versions before 24.11 when configured with LDAP authentication. This vulnerability could allow attackers to gain access to the server without providing a password if the LDAP server is misconfigured to allow anonymous binding. The advisory clarifies that “anonymous binding is not enabled by default in LDAP servers.”
M-Files urges all users to update their server software to version 24.11 or later to mitigate these vulnerabilities. The company emphasizes that “the issue can be remediated by updating the M-Files server to a patched version.”