CVE-2022-4858
📋 TL;DR
M-Files Server versions before 22.10.11846.0 can log sensitive authentication tokens to log files when specific configurations are enabled. This vulnerability allows attackers with access to log files to obtain tokens that could be used for unauthorized access. Organizations using vulnerable M-Files Server configurations are affected.
💻 Affected Systems
- M-Files Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain authentication tokens from logs and use them to gain unauthorized access to sensitive documents and systems, potentially leading to data theft or system compromise.
Likely Case
Internal or external attackers with log access extract tokens to access documents they shouldn't have permission to view, resulting in data exposure.
If Mitigated
With proper log access controls and monitoring, token extraction is prevented or quickly detected, limiting impact to minimal data exposure.
🎯 Exploit Status
Exploitation requires access to log files and specific vulnerable configurations to be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.10.11846.0 and later
Vendor Advisory: https://empower.m-files.com/security-advisories/CVE-2022-4858
Restart Required: Yes
Instructions:
1. Download M-Files Server version 22.10.11846.0 or later from official M-Files sources. 2. Backup current configuration and data. 3. Install the update following M-Files documentation. 4. Restart M-Files Server services.
🔧 Temporary Workarounds
Disable sensitive logging configurations
windowsModify M-Files Server logging configurations to prevent sensitive tokens from being written to log files.
Modify M-Files Server configuration files to remove or adjust logging settings that capture authentication tokens
Restrict log file access
windowsApply strict file system permissions to M-Files log directories to prevent unauthorized access.
icacls "C:\ProgramData\M-Files\Logs" /deny "Users:(OI)(CI)(R,W)"
icacls "C:\ProgramData\M-Files\Logs" /grant "Administrators:(OI)(CI)F"
🧯 If You Can't Patch
- Review and modify logging configurations to ensure sensitive tokens are not being logged
- Implement strict access controls on log file directories and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check M-Files Server version in administration console or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\M-Files\Server\Version. If version is below 22.10.11846.0 and sensitive logging is configured, system is vulnerable.Check Version:
reg query "HKLM\SOFTWARE\M-Files\Server" /v VersionVerify Fix Applied:
Verify version is 22.10.11846.0 or higher in administration console, then test that authentication tokens no longer appear in log files.📡 Detection & Monitoring
Log Indicators:
- Authentication tokens appearing in M-Files Server log files
- Unauthorized access attempts using tokens found in logs
Network Indicators:
- Unusual authentication patterns or token reuse from unexpected locations
SIEM Query:
source="M-Files Server Logs" AND ("token" OR "authentication" OR "auth") AND sensitive_data_detected