Summary Incorrect Access Control Vulnerability
Release Date 21st December 2022
Product M-Link
Version(s) 16.2v1 to 17.0v23
CVE ID CVE-2022-47634

Summary of vulnerability

This advisory discloses a critical vulnerability introduced in version R16.2v1 of M-Link. The following versions are affected by this vulnerability:

  • M-Link R16.2v1 to R17.0v23.
There is a bug where, after successful authentication as a non-administrative user, an attacker with knowledge of the correct HTTP URLs is able to access and manipulate archive data.


Isode rates the severity level of this vulnerability as medium, according to the CVSS system (details can be found at


This vulnerability has been fixed in M-Link R17.0v24 and affected services are advised to immediately upgrade to this version. Current later versions (such as the subsequent major release R19.2) are not affected by this vulnerability.


This vulnerability was discovered, with thanks from Isode, by Jerome Nokin of the NATO Cyber Security Centre (NCSC).