CVE-2025-0635

High

Published: 23 January 2025

Published

23 January 2025

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0014 32.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0635 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in M-Files M-Files Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of flaws like CVE-2025-0635 through vendor upgrades to prevent unauthenticated resource exhaustion.

SC-5 Denial-of-service Protection good match

prevent

SC-5 implements denial-of-service protections such as rate limiting and resource throttling to block unauthenticated consumption of computing resources.

SC-6 Resource Availability good match

prevent

SC-6 enforces limits and monitoring on system resource allocation and usage to mitigate depletion attacks from unauthenticated users.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Direct resource exhaustion DoS via unauthenticated network exploitation of allocation flaw matches application exhaustion and system exploitation subtechniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.

Deeper analysisAI

CVE-2025-0635 is a denial-of-service vulnerability in M-Files Server versions before 25.1.14445.5. The issue allows an unauthenticated user to consume computing resources under certain conditions, leading to a denial-of-service state. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is linked to CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation results in high-impact disruption to availability by forcing the server to exhaust computing resources, while confidentiality and integrity remain unaffected.

Official advisories recommend upgrading to M-Files Server version 25.1.14445.5 or later to mitigate the vulnerability. Detailed guidance is available in the vendor's security advisories at https://empower.m-files.com/security-advisories/CVE-2025-0635 and https://product.m-files.com/security-advisories/cve-2025-0635/.