Primary

Context

Claris FileMaker Server 22 IIS Shortname Vulnerability Information Disclosure

Vulnerability

Patched

A vulnerability in Claris FileMaker Server 22.0.3 and earlier versions allows for information disclosure through the improper handling of legacy 8.3 short filenames by Microsoft IIS. Attackers can exploit this by sending requests that include the tilde character, which can reveal hidden files and directories, even when directory listing is turned off. This issue has been fully resolved in FileMaker Server 22.0.4.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure by allowing attackers to infer the presence of files or directories on the server.

Remediation

Users can update to FileMaker Server 22.0.4, which includes a built-in option to disable IIS short filename enumeration. For those using FileMaker Server 22.0.3 or earlier, it is recommended to manually adjust the Windows registry to disable 8.3 name creation, delete any existing files with the 8.3 naming convention, and restart the web server.

Added: Dec 16, 2025, 7:16 PM

Updated: Dec 16, 2025, 8:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

7.4

remediation

8.3

relevance

1.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

7.4

remediation

8.3

relevance

1.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Claris FileMaker Server 22 IIS Shortname Vulnerability Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

Claris FileMaker Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating