Login Sign Up

CVE-2021-37253

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows denial of service attacks against M-Files Web servers by sending HTTP requests with overlapping Range or Request-Range headers. It affects organizations using M-Files Web versions before 20.10.9524.1. Note that some dispute exists about whether this is truly an application vulnerability versus a web server configuration issue.

💻 Affected Systems

Products:
  • M-Files Web
Versions: All versions before 20.10.9524.1
Operating Systems: Windows Server (primary deployment)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is disputed as some argue overlapping range handling should be managed at web server level rather than application level

📦 What is this software?

M Files Web by M Files

View all CVEs affecting M Files Web →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for M-Files Web, preventing document management access for all users

🟠

Likely Case

Temporary service degradation or intermittent outages affecting productivity

🟢

If Mitigated

Minimal impact with proper web server configuration and monitoring

🌐 Internet-Facing: HIGH - Publicly accessible instances can be easily targeted
🏢 Internal Only: MEDIUM - Requires internal access but could be exploited by malicious insiders

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation required, no authentication needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.10.9524.1 and later

Vendor Advisory: https://www.m-files.com/about/trust-center/security-advisories/cve-2021-37253-denial-of-service/

Restart Required: Yes

Instructions:

1. Download M-Files Web version 20.10.9524.1 or later from M-Files support portal. 2. Backup current configuration. 3. Install the update following M-Files documentation. 4. Restart the M-Files Web service.

🔧 Temporary Workarounds

Web Server Range Header Validation

windows

Configure web server (IIS) to reject overlapping Range headers

Configure IIS request filtering rules to validate Range headers

Network Filtering

all

Use WAF or network filtering to block malicious Range headers

Configure WAF rules to detect and block overlapping Range headers

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with rules to detect and block overlapping Range headers
  • Monitor for unusual HTTP request patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check M-Files Web version in administration console or via installed programs list

Check Version:

Check M-Files Server Management Console → About or examine installed programs in Windows

Verify Fix Applied:

Verify version is 20.10.9524.1 or later and test with overlapping Range header requests

📡 Detection & Monitoring

Log Indicators:

  • Multiple HTTP 416 errors
  • Unusual Range header patterns in IIS logs
  • Increased error rates

Network Indicators:

  • HTTP requests with overlapping Range headers
  • Unusual request patterns to M-Files Web endpoints

SIEM Query:

source="IIS" AND (Range:* OR Request-Range:*) AND status=416

📊 Metadata

CVE ID: CVE-2021-37253
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-444
Published: December 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37253, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)