Plattform
other
Komponente
filemegane
Behoben in
3.0.1
A server-side request forgery (SSRF) vulnerability has been identified in FileMegane versions greater than 3.0.0.0 and prior to 3.4.0.0. This flaw allows attackers to execute arbitrary backend Web API requests, potentially leading to disruptive actions such as service reboots. The vulnerability was publicly disclosed on February 17, 2025, and a patch is available in version 3.4.0.0.
The SSRF vulnerability in FileMegane allows an attacker to craft malicious requests that the server will then execute on its own behalf. This can be exploited to interact with internal services that are not directly accessible from the outside world. A successful attack could allow an attacker to trigger a reboot of FileMegane services, causing a denial of service. While the description doesn't specify direct data exfiltration, the ability to interact with backend APIs could potentially expose sensitive information depending on the APIs' functionality and access controls. The blast radius is limited to the FileMegane instance and its connected backend services.
The vulnerability was publicly disclosed on February 17, 2025. No KEV listing or active exploitation campaigns have been reported as of this date. Public proof-of-concept exploits are not currently available, but the SSRF nature of the vulnerability makes it likely that one will emerge. The CVSS score of 7.2 (HIGH) indicates a significant potential for exploitation.
Organizations deploying FileMegane versions 3.0.0.0 through 3.3.9.9 are at risk. This includes environments where FileMegane is used for file sharing or document management, particularly those with limited network segmentation or weak outbound access controls.
disclosure
Exploit-Status
EPSS
0.07% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-20075 is to upgrade FileMegane to version 3.4.0.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the FileMegane server to only trusted destinations. Implement strict input validation on any URLs or hostnames provided by users to prevent malicious crafting of requests. Web application firewalls (WAFs) configured to detect and block SSRF attempts can also provide a layer of defense. Monitor FileMegane logs for unusual outbound requests.
Actualice FileMegane a la versión 3.4.0.0 o superior. Esta actualización corrige la vulnerabilidad SSRF que permite la ejecución de solicitudes arbitrarias al backend, lo que podría resultar en el reinicio de los servicios. Consulte el aviso de seguridad del proveedor para obtener más detalles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-20075 is a server-side request forgery vulnerability in FileMegane versions 3.0.0.0–3.4.0.0, allowing attackers to trigger backend API requests and potentially reboot services.
You are affected if you are using FileMegane versions greater than 3.0.0.0 and prior to 3.4.0.0. Upgrade to 3.4.0.0 to mitigate the risk.
Upgrade FileMegane to version 3.4.0.0 or later. As a temporary workaround, restrict outbound network access and implement strict input validation.
As of now, there are no confirmed reports of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the FileMegane official security advisory for detailed information and updates regarding CVE-2025-20075.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.