CVE-2021-41809
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in M-Files Server products. It allows attackers to make unauthorized queries from the server when previewing certain document types that reference external entities. Organizations using affected M-Files Server versions are at risk.
💻 Affected Systems
- M-Files Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, perform port scanning, or interact with cloud metadata services to potentially escalate privileges or access sensitive data.
Likely Case
Information disclosure from internal services accessible to the M-Files server, potentially including cloud metadata or internal APIs.
If Mitigated
Limited impact if network segmentation restricts the M-Files server's access to sensitive internal resources.
🎯 Exploit Status
Requires user access to upload or reference specific document types that trigger the vulnerable preview function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.1.11017.1 and later
Vendor Advisory: https://empower.m-files.com/security-advisories/CVE-2021-41809
Restart Required: Yes
Instructions:
1. Download M-Files Server version 22.1.11017.1 or later from the M-Files customer portal. 2. Run the installer on the M-Files Server. 3. Follow the upgrade wizard. 4. Restart the M-Files Server service.
🔧 Temporary Workarounds
Disable preview functionality
windowsTemporarily disable document preview features to prevent exploitation
Configure via M-Files Admin: Settings > Document Preview > Disable
Network segmentation
allRestrict M-Files Server's outbound network access to only required services
Configure firewall rules to limit outbound connections from M-Files Server
🧯 If You Can't Patch
- Implement strict network segmentation to limit the M-Files server's outbound access to only necessary services.
- Disable document preview functionality for untrusted users or document types.
🔍 How to Verify
Check if Vulnerable:
Check M-Files Server version in Admin Console: Help > About M-Files ServerCheck Version:
In M-Files Admin Console: Help > About M-Files ServerVerify Fix Applied:
Verify version is 22.1.11017.1 or later in Admin Console📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from M-Files Server to internal IPs or cloud metadata endpoints
- Failed preview generation attempts for specific document types
Network Indicators:
- HTTP requests from M-Files Server to unexpected internal services or cloud metadata IPs (169.254.169.254 for AWS, etc.)
SIEM Query:
source="M-Files Server" AND (destination_ip=169.254.169.254 OR destination_ip IN [internal_range]) AND http_method=GET