CVE-2022-1911
📋 TL;DR
CVE-2022-1911 is an information disclosure vulnerability in M-Files Server where an error in the parser function allows unauthenticated attackers to access some operating system information. This affects organizations running vulnerable M-Files Server versions before the patched releases. The vulnerability exposes system details that could aid further attacks.
💻 Affected Systems
- M-Files Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain sensitive OS configuration details, user information, or network data that enables follow-on attacks like privilege escalation or lateral movement.
Likely Case
Unauthenticated attackers gather basic system information (OS version, hostname, network details) that helps reconnaissance for more targeted attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to information leakage without enabling further compromise.
🎯 Exploit Status
The vulnerability requires no authentication and appears to be relatively simple to exploit based on the description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.6.11534.1 or 22.6.11505.0 (depending on release track)
Vendor Advisory: https://empower.m-files.com/security-advisories/CVE-2022-1911
Restart Required: Yes
Instructions:
1. Download the patched version from M-Files Empower portal. 2. Backup your M-Files Server configuration and databases. 3. Run the installer to upgrade. 4. Restart the M-Files Server service. 5. Verify the version is updated.
🔧 Temporary Workarounds
Network Access Restriction
windowsRestrict access to M-Files Server to trusted IP addresses only using firewall rules.
Windows Firewall: New-NetFirewallRule -DisplayName "M-Files Restrict" -Direction Inbound -Protocol TCP -LocalPort 443,2266 -RemoteAddress 192.168.1.0/24 -Action Allow
Reverse Proxy Configuration
allPlace M-Files Server behind a reverse proxy with request filtering and authentication.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate M-Files Server from untrusted networks
- Deploy a web application firewall (WAF) with rules to block suspicious parser requests
🔍 How to Verify
Check if Vulnerable:
Check M-Files Server version in the M-Files Admin tool under Help > About. If version is below 22.6.11534.1 or 22.6.11505.0, the system is vulnerable.Check Version:
In M-Files Admin: Help > About shows version. PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*M-Files Server*"} | Select-Object VersionVerify Fix Applied:
After patching, verify the version shows 22.6.11534.1 or higher (or 22.6.11505.0 or higher). Test that unauthenticated requests to parser endpoints no longer return OS information.📡 Detection & Monitoring
Log Indicators:
- Unusual unauthenticated requests to parser endpoints in M-Files Server logs
- Multiple failed authentication attempts followed by parser function calls
Network Indicators:
- Unusual HTTP requests to M-Files Server on standard ports (443, 2266) from unexpected sources
- Traffic patterns showing reconnaissance behavior
SIEM Query:
source="m-files.log" AND (uri_path="*/parser*" OR user_agent="*scanner*") AND auth_status="failed"