An data disclosure vulnerability in M-Information Server permits authenticated attackers to seize and reuse session tokens from lively customers. Doubtlessly gaining unauthorized entry to delicate doc administration programs.
The flaw, tracked as CVE-2025-13008, impacts a number of variations throughout totally different launch branches and carries a high-severity CVSS 4.0 base rating of 8.6.
The vulnerability exists inside M-Information Internet and requires the attacker to have reliable authentication credentials.
As soon as authenticated, an attacker can intercept session tokens of different actively related customers whereas they carry out particular consumer operations.
By acquiring these tokens, risk actors can impersonate reliable customers and execute actions of their identify and with their permissions.
Together with accessing confidential paperwork and doubtlessly modifying vital data.
The flaw is assessed as CWE-359 (Publicity of Non-public Private Data to an Unauthorized Actor). It represents a session replay situation per CAPEC-60.
The assault requires person interplay and community accessibility, making it a sensible risk in related environments.
Affected Variations
Organizations working the next M-Information Server variations are susceptible and will prioritize patching:
Launch BranchVulnerable VersionsPatched VersionCurrent ReleaseBefore 25.12.15491.725.12.15491.7LTS 25.8Before SR325.8.15085.18 (SR3)LTS 25.2Before SR325.2.14524.14 (SR3)LTS 24.8Before SR524.8.13981.17 (SR5)
M-Information has launched patched variations addressing this vulnerability. The corporate obtained accountable vulnerability disclosure, and no public exploits at the moment exist.
Nonetheless, the low chance of exploitation designation shouldn’t diminish the urgency of patching.
Given the high-impact nature of profitable assaults, unauthorized doc entry, and potential lateral motion inside enterprise programs.
Organizations ought to prioritize testing and deploying patches throughout all affected M-Information Server situations.
Concurrently, safety groups ought to monitor entry logs for suspicious person exercise that signifies token theft or unauthorized account use.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
