MEDIUMCVE-2024-6789

CVE-2024-6789: Path Traversal in M-Files Server

Platform

other

Component

m-files-server

Fixed in

24.8.13981.0

LTS 24.2.13421.15 SR2

LTS 23.8.12892.0 SR6

AI Confidence: highNVDEPSS 0.9%Reviewed: May 2026

View on NVD

Save

CVE-2024-6789 describes a path traversal vulnerability discovered in M-Files Server. This flaw allows an authenticated user to read files outside of the intended directory, potentially exposing sensitive data. The vulnerability affects versions prior to LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6. A fix is available in LTS 24.2.13421.15 SR2.

Impact and Attack Scenarios

The impact of this path traversal vulnerability is significant, as it allows an authenticated user to bypass access controls and read arbitrary files on the server. An attacker could potentially access configuration files, database credentials, or other sensitive data stored on the system. This could lead to data breaches, privilege escalation, and further compromise of the M-Files Server environment. The ability to read files outside the intended directory represents a serious security risk, particularly if the server stores confidential information.

Exploitation Context

CVE-2024-6789 was publicly disclosed on August 27, 2024. There is currently no indication of active exploitation or KEV listing. Public proof-of-concept code is not yet available, but the path traversal nature of the vulnerability suggests that it could be relatively easy to exploit once a PoC is developed. Monitor security advisories and threat intelligence feeds for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.92% (76% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

Affected Software

Componentm-files-server

VendorM-Files Corporation

Affected rangeFixed in

0 – 24.8.13980.024.8.13981.0

LTS 24.2.0 – LTS 24.2.13421.14 SR2LTS 24.2.13421.15 SR2

LTS 23.8.0 – LTS 23.8.12891.0 SR6LTS 23.8.12892.0 SR6

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2024-07-16
Published2024-08-27
Modified2026-02-23
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-6789 is to upgrade M-Files Server to version LTS 24.2.13421.15 SR2 or later. Prior to upgrading, it is recommended to review the M-Files Server release notes for any potential compatibility issues or breaking changes. Consider implementing stricter access controls and file permissions to limit the potential impact of this vulnerability, even after patching. Regularly audit file system access logs to detect any suspicious activity.

How to fix

Update M-Files Server to version 24.8.13981.0, LTS 24.2.13421.15 SR2 or LTS 23.8.12892.0 SR6, or later, as appropriate for your support branch. This corrects the path traversal vulnerability.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-6789 — Path Traversal in M-Files Server?

CVE-2024-6789 is a vulnerability allowing authenticated users to read arbitrary files on M-Files Server versions before LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6.

Am I affected by CVE-2024-6789 in M-Files Server?

You are affected if you are running M-Files Server versions 0–LTS 24.2.13421.15 SR2 or LTS 23.8.12892.0 SR6. Check your version against the fixed version.

How do I fix CVE-2024-6789 in M-Files Server?

Upgrade M-Files Server to LTS 24.2.13421.15 SR2 or a later version. Review release notes before upgrading.

Is CVE-2024-6789 being actively exploited?

There is currently no indication of active exploitation, but the vulnerability's nature suggests potential for exploitation.

Where can I find the official M-Files advisory for CVE-2024-6789?

Refer to the official M-Files security advisory for CVE-2024-6789 on the M-Files website.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs