CVE-2023-3406
📋 TL;DR
This path traversal vulnerability in M-Files Classic Web allows authenticated users to access restricted files on the web server by manipulating file paths. It affects M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release versions before 23.2 LTS SR3. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- M-Files Classic Web
📦 What is this software?
Classic Web by M Files
Classic Web by M Files
Classic Web by M Files
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attacker reads sensitive system files, configuration files, or application data, potentially leading to credential theft, data exfiltration, or further system compromise.
Likely Case
Authenticated user accesses restricted files containing configuration details, logs, or other sensitive information that should not be accessible.
If Mitigated
With proper access controls and network segmentation, impact is limited to files accessible by the web server process within its security context.
🎯 Exploit Status
Exploitation requires authenticated access. Path traversal vulnerabilities are typically straightforward to exploit once the vulnerability is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.6.12695.3 or later for current versions, 23.2 LTS SR3 or later for LTS versions
Vendor Advisory: https://empower.m-files.com/security-advisories/CVE-2023-3406
Restart Required: Yes
Instructions:
1. Download the latest M-Files Classic Web update from the M-Files customer portal. 2. Backup your current installation. 3. Run the installer with administrative privileges. 4. Restart the M-Files service and IIS. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict file system access
windowsConfigure web server permissions to limit the M-Files application pool identity to only necessary directories
icacls "C:\inetpub\wwwroot\M-Files" /grant "IIS AppPool\M-FilesAppPool":(OI)(CI)RX
Implement request filtering
windowsAdd URL filtering rules in IIS to block path traversal patterns
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering' -name 'denyUrlSequences' -value @{collection='..'} -AtElement @{name='..'}
🧯 If You Can't Patch
- Implement strict access controls and monitor authenticated user activity for unusual file access patterns
- Segment the M-Files server from other critical systems and implement network-based file access restrictions
🔍 How to Verify
Check if Vulnerable:
Check M-Files Classic Web version in the M-Files Admin tool under Help > About. If version is below 23.6.12695.3 (or below 23.2 LTS SR3 for LTS versions), the system is vulnerable.Check Version:
Check via M-Files Admin tool or examine the M-Files installation directory for version informationVerify Fix Applied:
After patching, verify the version shows 23.6.12695.3 or higher (or 23.2 LTS SR3 or higher for LTS). Test authenticated file access attempts with path traversal patterns to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- IIS logs showing requests with '..' sequences or attempts to access files outside expected directories
- M-Files audit logs showing unusual file access patterns by authenticated users
Network Indicators:
- HTTP requests containing path traversal sequences (../, ..\) to M-Files endpoints
SIEM Query:
source="IIS" AND (url="*..*" OR url="*%2e%2e*" OR url="*%252e%252e*") AND dest_host="m-files-server"