CVE-2025-2091
BaseFortify
Publication date: 2025-06-16
Last updated on: 2026-02-23
Assigner: M-Files Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| m-files | m-files_mobile | to 25.6.0 (exc) |
| m-files | m-files_mobile | to 25.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-2091 is an open redirection vulnerability in M-Files Mobile applications for Android and iOS versions prior to 25.6.0. Attackers can create malicious PDF files that trick users into making requests to untrusted URLs. To exploit this, the attacker must be an authenticated user with permission to add content, and the victim must interact with the malicious PDF. This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) and involves hiding malicious data within files. [1]
How can this vulnerability impact me? :
This vulnerability can lead users to unknowingly visit untrusted or malicious websites by interacting with crafted PDF files, potentially exposing them to phishing, malware, or other web-based attacks. However, the impact on confidentiality is low, and there is no impact on integrity or availability. Exploitation requires user interaction and an attacker with certain permissions, and currently, there are no known public exploits or active exploitation, with a low probability of exploitation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for interactions with maliciously crafted PDF files that trigger requests to untrusted URLs within M-Files Mobile applications prior to version 25.6.0. Since exploitation requires user interaction with such PDFs, network monitoring tools can be used to detect unusual outbound requests to untrusted or suspicious URLs originating from mobile devices running affected versions. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating M-Files Mobile applications on Android and iOS to version 25.6.0 or later, which contains the fix for this open redirection vulnerability. Additionally, restrict permissions to add content to the vault to trusted users only, educate users to avoid interacting with suspicious PDF files, and monitor for unusual network activity involving requests to untrusted URLs. [1]