CVE-2025-0635

High

Published: 23 January 2025

Published

23 January 2025

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0014 32.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.

Security Summary

CVE-2025-0635 is a denial-of-service vulnerability in M-Files Server versions before 25.1.14445.5. The issue allows an unauthenticated user to consume computing resources under certain conditions, leading to a denial-of-service state. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation results in high-impact disruption to availability by forcing the server to exhaust computing resources, while confidentiality and integrity remain unaffected.

Official advisories recommend upgrading to M-Files Server version 25.1.14445.5 or later to mitigate the vulnerability. Detailed guidance is available in the vendor's security advisories at https://empower.m-files.com/security-advisories/CVE-2025-0635 and https://product.m-files.com/security-advisories/cve-2025-0635/.

Details

CWE(s): CWE-770

Affected Products

m-files

m-files server

≤ 25.1.14445.5

References

https://empower.m-files.com/security-advisories/CVE-2025-0635
security@m-files.com
https://product.m-files.com/security-advisories/cve-2025-0635/
Vendor Advisory · security@m-files.com