IIS Shortname Vulnerability in FileMaker Server by Claris
CVE-2025-46294

5.3MEDIUM

Key Information:

Vendor: Claris
Status: Filemaker Server
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-46294?

The IIS Shortname Vulnerability in FileMaker Server allows attackers to exploit the way Microsoft IIS handles legacy 8.3 short filenames. By crafting requests that utilize the tilde (~) character, attackers can enumerate hidden files and directories, potentially compromising sensitive information. To mitigate this issue, the FileMaker Server 22.0.4 installer now includes an option to disable IIS short filename enumeration through a registry setting. This enhancement significantly bolsters the security posture of systems running FileMaker Server.

Affected Version(s)

FileMaker Server < 22.0.4

References

https://support.claris.com/s/answerview?anum=000048450&la...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Apr 22, 2025

CVE-2025-46294 Data

JSON