CVE-2023-6912
📋 TL;DR
M-Files Server versions before 23.12.13205.0 lack brute force protection, allowing attackers unlimited authentication attempts to guess user passwords. This affects all organizations using vulnerable M-Files Server deployments. Attackers could compromise user accounts through password guessing attacks.
💻 Affected Systems
- M-Files Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of M-Files Server through administrative account takeover, leading to data theft, ransomware deployment, or system destruction.
Likely Case
Compromise of standard user accounts leading to unauthorized access to sensitive documents and business data stored in M-Files.
If Mitigated
Failed authentication attempts logged but no account compromise due to proper rate limiting and monitoring.
🎯 Exploit Status
Exploitation requires no special tools - attackers can use standard password spraying or brute force tools against authentication endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.12.13205.0 and later
Vendor Advisory: https://product.m-files.com/security-advisories/cve-2023-6912/
Restart Required: Yes
Instructions:
1. Download M-Files Server 23.12.13205.0 or later from M-Files customer portal. 2. Backup current configuration and data. 3. Run installer with administrative privileges. 4. Restart M-Files Server services. 5. Verify successful upgrade.
🔧 Temporary Workarounds
Network-level rate limiting
allImplement rate limiting at network perimeter or load balancer to restrict authentication attempts
Account lockout policy
windowsConfigure Windows account lockout policies for M-Files service accounts
net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30
🧯 If You Can't Patch
- Implement network segmentation to restrict access to M-Files Server from untrusted networks
- Enable detailed authentication logging and implement SIEM alerts for failed login patterns
🔍 How to Verify
Check if Vulnerable:
Check M-Files Server version in M-Files Admin tool under Help > About. Versions below 23.12.13205.0 are vulnerable.Check Version:
In M-Files Admin: Help > About, or check registry: HKEY_LOCAL_MACHINE\SOFTWARE\M-Files\Server\VersionVerify Fix Applied:
Verify version shows 23.12.13205.0 or higher in M-Files Admin. Test authentication with multiple failed attempts to confirm rate limiting is active.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from single IP
- Authentication failures for same user account within short timeframe
- Unusual authentication patterns outside business hours
Network Indicators:
- High volume of POST requests to /REST/objects/authenticationtokens endpoint
- Authentication traffic from unexpected geographic locations
SIEM Query:
source="m-files.log" AND (event_type="authentication_failure") | stats count by src_ip, user | where count > 10