A serious security flaw was recently discovered involving all older versions of FileMaker Server; anyone can enter via FileMaker Pro or FileMaker Pro Advanced and gain full access into any database hosted on FileMaker Server. This is possible without knowing the file name or account names.
If you’re using a version of FileMaker Server prior to version 19.6.4, you need to read this article very carefully and act quickly to fix the problem.
FileMaker Server doesn’t show connections in place that exploit the flaw in the admin console or in the logs. Basically, you don’t have the ability to intercept the intrusion in real time or check that someone had unauthorized access to the files.
When Was this Discovered?
The flaw was discovered in fall 2023; Claris was notified and remediated the issue in April 2024, but only as of FileMaker 20.3.2 and on FileMaker Server 19.6.4.
So It’s Fixed?
On the contrary: all versions of FileMaker Server prior to 19.6 and reachable from a network are vulnerable. There is no way to tell from the FileMaker side whether someone has compromised the system.
But how could such a catastrophic situation have arisen? On a technical level, the issue depends on three factors:
- The protocol FileMaker uses to communicate client/server
- The way FileMaker Server identifies hosted databases
- The method by which the FileMaker engine (Draco) manages users
The Solution? Upgrade FileMaker Server to at least Version 19.6.4.
Although tools such as VPNs or similar reduce the risk of unwanted access, not upgrading and shutting down external access to the server is not a permanent solution. In fact, a serious internal network vulnerability remains.
Not sure how to update FileMaker Server? Write to us now!