M-Files Server Password Recovery Vulnerability for External Connectors

A vulnerability in M-Files Server versions prior to 25.1.14445.5 allows highly privileged users, such as system or vault administrators, to recover passwords for external connectors. This issue arises from an unsafe password recovery mechanism in the server's configuration. While these administrators can already set the passwords, the recovery feature is not typically allowed. It's important to note that this vulnerability does not impact other user types or administrative passwords. The issue is particularly relevant in environments with multiple admin users who have different levels of access to external systems connected via EOT connectors, which are not enabled by default.

Impact

Exploitation of this vulnerability could lead to unauthorized recovery of external connector passwords, allowing privileged users to access or manipulate connected systems.