Search criteria
115 vulnerabilities by devolutions
CVE-2025-13683 (GCVE-0-2025-13683)
Vulnerability from cvelistv5 – Published: 2025-11-28 17:00 – Updated: 2025-11-28 18:35
VLAI?
Summary
Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.3.8.0
(custom)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T18:31:48.462146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T18:35:01.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.3.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.3.23.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.\u003cp\u003eThis issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.\u003c/p\u003e"
}
],
"value": "Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T17:00:48.552Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0017/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-13683",
"datePublished": "2025-11-28T17:00:48.552Z",
"dateReserved": "2025-11-25T19:40:33.497Z",
"dateUpdated": "2025-11-28T18:35:01.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13758 (GCVE-0-2025-13758)
Vulnerability from cvelistv5 – Published: 2025-11-27 15:30 – Updated: 2025-12-01 19:15
VLAI?
Summary
Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.2.20
(custom)
Affected: 0 , ≤ 2025.3.8 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T18:49:45.095248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T19:15:26.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.2.20",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of credentials in unintended requests in Devolutions Server.\u003cp\u003eThis issue affects Server: through 2025.2.20, through 2025.3.8.\u003c/p\u003e"
}
],
"value": "Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T15:30:47.944Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0018/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-13758",
"datePublished": "2025-11-27T15:30:47.944Z",
"dateReserved": "2025-11-26T20:34:39.022Z",
"dateUpdated": "2025-12-01T19:15:26.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13757 (GCVE-0-2025-13757)
Vulnerability from cvelistv5 – Published: 2025-11-27 15:30 – Updated: 2025-12-01 19:15
VLAI?
Summary
SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.2.20
(custom)
Affected: 0 , ≤ 2025.3.8 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T18:50:45.402289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T19:15:31.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.2.20",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL Injection vulnerability in last usage logs in Devolutions Server.\u003cp\u003eThis issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.\u003c/p\u003e"
}
],
"value": "SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T15:30:30.532Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0018/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-13757",
"datePublished": "2025-11-27T15:30:30.532Z",
"dateReserved": "2025-11-26T20:34:33.909Z",
"dateUpdated": "2025-12-01T19:15:31.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13765 (GCVE-0-2025-13765)
Vulnerability from cvelistv5 – Published: 2025-11-27 15:30 – Updated: 2025-12-01 19:15
VLAI?
Summary
Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , < 2025.2.21
(custom)
Affected: 0 , < 2025.3.9 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T18:51:42.897374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T19:15:37.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThan": "2025.2.21",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2025.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of email service credentials to users without administrative rights in Devolutions Server.\u003cp\u003eThis issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.\u003c/p\u003e"
}
],
"value": "Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T15:30:13.028Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0018/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-13765",
"datePublished": "2025-11-27T15:30:13.028Z",
"dateReserved": "2025-11-27T14:55:53.956Z",
"dateUpdated": "2025-12-01T19:15:37.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12485 (GCVE-0-2025-12485)
Vulnerability from cvelistv5 – Published: 2025-11-06 16:37 – Updated: 2025-11-07 14:07
VLAI?
Summary
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step.
This issue affects the following versions :
* Devolutions Server 2025.3.2.0 through 2025.3.5.0
*
Devolutions Server 2025.2.15.0 and earlier
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
2025.3.2.0 , ≤ 2025.3.5.0
(custom)
Affected: 0 , ≤ 2025.2.15.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T19:37:22.378650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T19:37:36.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.3.5.0",
"status": "affected",
"version": "2025.3.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.2.15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003eThis does not bypass the target account MFA verification step.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\n\u003cp\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server\u0026nbsp;2025.3.2.0 through\u0026nbsp;2025.3.5.0\u003c/li\u003e\u003cli\u003e\n\nDevolutions Server 2025.2.15.0 and earlier\u0026nbsp;\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\n\n\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step.\n\n\n\n\n\nThis issue affects the following versions :\n\n * Devolutions Server\u00a02025.3.2.0 through\u00a02025.3.5.0\n * \n\nDevolutions Server 2025.2.15.0 and earlier"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T14:07:04.358Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0016"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-12485",
"datePublished": "2025-11-06T16:37:14.546Z",
"dateReserved": "2025-10-29T19:20:46.159Z",
"dateUpdated": "2025-11-07T14:07:04.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12808 (GCVE-0-2025-12808)
Vulnerability from cvelistv5 – Published: 2025-11-06 16:36 – Updated: 2025-11-07 14:06
VLAI?
Summary
Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.
This issue affects the following versions :
* Devolutions Server 2025.3.2.0 through 2025.3.5.0
*
Devolutions Server 2025.2.15.0 and earlier
Severity ?
6.5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
2025.3.2.0 , ≤ 2025.3.5.0
(custom)
Affected: 0 , ≤ 2025.2.15.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-12808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T19:39:09.402475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T19:39:13.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.3.5.0",
"status": "affected",
"version": "2025.3.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.2.15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper access control in Devolutions allows a View-only user\u0026nbsp;to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\n\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2025.3.2.0 through 2025.3.5.0\u003c/li\u003e\u003cli\u003e\n\nDevolutions Server 2025.2.15.0 and earlier \u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\n\n\u003c/div\u003e\n\n\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Improper access control in Devolutions allows a View-only user\u00a0to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.\n\n\n\n\n\nThis issue affects the following versions :\n\n * Devolutions Server 2025.3.2.0 through 2025.3.5.0\n * \n\nDevolutions Server 2025.2.15.0 and earlier"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T14:06:55.095Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0016"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-12808",
"datePublished": "2025-11-06T16:36:14.506Z",
"dateReserved": "2025-11-06T15:44:08.677Z",
"dateUpdated": "2025-11-07T14:06:55.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11957 (GCVE-0-2025-11957)
Vulnerability from cvelistv5 – Published: 2025-10-22 17:09 – Updated: 2025-11-25 17:25
VLAI?
Summary
Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.2.12.0
(custom)
|
Credits
Gino Boudreau (mononclemich)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T17:34:13.085644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:44:03.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.2.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gino Boudreau (mononclemich)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests."
}
],
"value": "Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T17:25:37.093Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0015/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-11957",
"datePublished": "2025-10-22T17:09:15.684Z",
"dateReserved": "2025-10-20T12:21:03.561Z",
"dateUpdated": "2025-11-25T17:25:37.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11958 (GCVE-0-2025-11958)
Vulnerability from cvelistv5 – Published: 2025-10-22 17:08 – Updated: 2025-11-27 15:41
VLAI?
Summary
An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted request.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.2.15.0
(custom)
|
Credits
bhatta_jeewan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T17:38:37.456133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:45:45.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.2.15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bhatta_jeewan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper input validation in the Security Dashboard \u003ccode\u003eignored-tasks\u003c/code\u003e API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted\u0026nbsp;request."
}
],
"value": "An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted\u00a0request."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T15:41:00.993Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0015/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-11958",
"datePublished": "2025-10-22T17:08:29.440Z",
"dateReserved": "2025-10-20T12:22:51.737Z",
"dateUpdated": "2025-11-27T15:41:00.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11619 (GCVE-0-2025-11619)
Vulnerability from cvelistv5 – Published: 2025-10-15 19:45 – Updated: 2025-10-15 20:01
VLAI?
Summary
Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.
Severity ?
8.8 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Devolutions Server |
Affected:
2025.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-11619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T20:01:13.163043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T20:01:15.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Devolutions Server",
"vendor": "Devolutions",
"versions": [
{
"status": "affected",
"version": "2025.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers\u0026nbsp;in MitM position to intercept traffic."
}
],
"value": "Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers\u00a0in MitM position to intercept traffic."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T19:45:10.912Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0014/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-11619",
"datePublished": "2025-10-15T19:45:10.912Z",
"dateReserved": "2025-10-10T17:12:48.081Z",
"dateUpdated": "2025-10-15T20:01:15.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8312 (GCVE-0-2025-8312)
Vulnerability from cvelistv5 – Published: 2025-07-30 16:10 – Updated: 2025-08-19 12:18
VLAI?
Summary
Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) :
*
Devolutions Server 2025.2.2.0 through 2025.2.5.0
* Devolutions Server 2025.1.12.0 and earlier
Severity ?
7.1 (High)
CWE
- CWE-833 - Deadlock
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
2025.2.2.0 , ≤ 2025.2.5.0
(custom)
Affected: 0 , ≤ 2025.1.13.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T16:16:17.206710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T16:16:20.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.2.5.0",
"status": "affected",
"version": "2025.2.2.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.1.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.\u003cp\u003eThis issue affects the following version(s) :\u003c/p\u003e\u003cul\u003e\u003cli\u003e\nDevolutions Server 2025.2.2.0 through 2025.2.5.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2025.1.12.0 and earlier\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) :\n\n * \nDevolutions Server 2025.2.2.0 through 2025.2.5.0\n * Devolutions Server 2025.1.12.0 and earlier"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-833",
"description": "CWE-833: Deadlock",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T12:18:26.409Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0013/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-8312",
"datePublished": "2025-07-30T16:10:05.322Z",
"dateReserved": "2025-07-29T16:44:13.389Z",
"dateUpdated": "2025-08-19T12:18:26.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8353 (GCVE-0-2025-8353)
Vulnerability from cvelistv5 – Published: 2025-07-30 16:06 – Updated: 2025-07-30 16:17
VLAI?
Summary
UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.
Severity ?
5.9 (Medium)
CWE
- CWE-446 - UI Discrepancy for Security Feature
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.2.4.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8353",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T16:17:35.703576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T16:17:38.655Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.2.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-446",
"description": "CWE-446: UI Discrepancy for Security Feature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T16:06:46.196Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0013/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-8353",
"datePublished": "2025-07-30T16:06:46.196Z",
"dateReserved": "2025-07-30T13:30:32.056Z",
"dateUpdated": "2025-07-30T16:17:38.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6741 (GCVE-0-2025-6741)
Vulnerability from cvelistv5 – Published: 2025-07-22 17:00 – Updated: 2025-11-25 17:24
VLAI?
Summary
Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature
This issue affects the following versions :
* Devolutions Server 2025.2.2.0 through 2025.2.4.0
*
Devolutions Server 2025.1.11.0 and earlier
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.1.11.0
(custom)
Affected: 2025.2.2.0 , ≤ 2025.2.4.0 (custom) |
Credits
Gino Boudreau (mononclemich)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-6741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T18:37:00.371689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T18:38:07.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.2.4.0",
"status": "affected",
"version": "2025.2.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gino Boudreau (mononclemich)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature\u003c/div\u003e\u003cbr\u003e\u003cp\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2025.2.2.0 through 2025.2.4.0\u003c/li\u003e\u003cli\u003e\nDevolutions Server 2025.1.11.0 and earlier\n\n\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature\n\n\nThis issue affects the following versions :\n\n * Devolutions Server 2025.2.2.0 through 2025.2.4.0\n * \nDevolutions Server 2025.1.11.0 and earlier"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T17:24:25.958Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0012/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-6741",
"datePublished": "2025-07-22T17:00:15.146Z",
"dateReserved": "2025-06-26T17:34:35.373Z",
"dateUpdated": "2025-11-25T17:24:25.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6523 (GCVE-0-2025-6523)
Vulnerability from cvelistv5 – Published: 2025-07-22 17:00 – Updated: 2025-11-25 17:23
VLAI?
Summary
Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe.
This issue affects the following versions :
* Devolutions Server 2025.2.2.0 through 2025.2.3.0
*
Devolutions Server 2025.1.11.0 and earlier
Severity ?
CWE
- CWE-1391 - Use of Weak Credentials
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.1.11.0
(custom)
Affected: 2025.2.2.0 , ≤ 2025.2.3.0 (custom) |
Credits
Gino Boudreau (mononclemich)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-6523",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-22T18:40:53.083607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T18:41:36.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.11.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.2.3.0",
"status": "affected",
"version": "2025.2.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gino Boudreau (mononclemich)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUse of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe.\u003cbr\u003e\u003cbr\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2025.2.2.0 through 2025.2.3.0\u003c/li\u003e\u003cli\u003e\nDevolutions Server 2025.1.11.0 and earlier\n\n\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\n\n\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe.\n\nThis issue affects the following versions :\n\n * Devolutions Server 2025.2.2.0 through 2025.2.3.0\n * \nDevolutions Server 2025.1.11.0 and earlier"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1391",
"description": "CWE-1391: Use of Weak Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T17:23:40.966Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0012/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-6523",
"datePublished": "2025-07-22T17:00:10.697Z",
"dateReserved": "2025-06-23T14:04:39.194Z",
"dateUpdated": "2025-11-25T17:23:40.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0691 (GCVE-0-2025-0691)
Vulnerability from cvelistv5 – Published: 2025-06-05 13:41 – Updated: 2025-06-05 14:06
VLAI?
Summary
Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.
Severity ?
5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.1.10.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T14:02:31.682676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T14:06:43.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the \"Edit permission\" permission by bypassing the client side validation.\u003c/div\u003e"
}
],
"value": "Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the \"Edit permission\" permission by bypassing the client side validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T13:41:42.695Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0011/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-0691",
"datePublished": "2025-06-05T13:41:42.695Z",
"dateReserved": "2025-01-23T20:14:30.466Z",
"dateUpdated": "2025-06-05T14:06:43.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5382 (GCVE-0-2025-5382)
Vulnerability from cvelistv5 – Published: 2025-06-05 13:37 – Updated: 2025-06-05 13:58
VLAI?
Summary
Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.
Severity ?
6.8 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.1.7.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-5382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T13:55:28.426952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T13:58:59.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA."
}
],
"value": "Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T13:37:05.463Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0011/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-5382",
"datePublished": "2025-06-05T13:37:05.463Z",
"dateReserved": "2025-05-30T12:31:45.409Z",
"dateUpdated": "2025-06-05T13:58:59.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3768 (GCVE-0-2025-3768)
Vulnerability from cvelistv5 – Published: 2025-06-05 13:36 – Updated: 2025-06-05 14:09
VLAI?
Summary
Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.
Severity ?
5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.1.10.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-3768",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T14:08:13.256557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T14:09:18.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T13:36:41.991Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0011/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-3768",
"datePublished": "2025-06-05T13:36:41.991Z",
"dateReserved": "2025-04-17T15:07:14.619Z",
"dateUpdated": "2025-06-05T14:09:18.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4433 (GCVE-0-2025-4433)
Vulnerability from cvelistv5 – Published: 2025-05-30 12:16 – Updated: 2025-11-25 17:21
VLAI?
Summary
Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation by adding users to groups with administrative privileges.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2025.1.7.0
(custom)
|
Credits
Gino Boudreau (mononclemich)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-4433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T13:54:22.920049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T13:54:34.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gino Boudreau (mononclemich)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both \"User Management\" and \"User Group Management\" permissions to perform privilege escalation by adding users to groups with administrative privileges."
}
],
"value": "Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both \"User Management\" and \"User Group Management\" permissions to perform privilege escalation by adding users to groups with administrative privileges."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T17:21:58.188Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0010/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-4433",
"datePublished": "2025-05-30T12:16:03.245Z",
"dateReserved": "2025-05-08T13:12:45.684Z",
"dateUpdated": "2025-11-25T17:21:58.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5334 (GCVE-0-2025-5334)
Vulnerability from cvelistv5 – Published: 2025-05-29 14:47 – Updated: 2025-06-10 18:24
VLAI?
Summary
Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager
allows an authenticated user to gain unauthorized access to private personal information.
Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.
This issue affects the following versions :
* Remote Desktop Manager Windows 2025.1.34.0 and earlier
*
Remote Desktop Manager macOS 2025.1.16.3 and earlier
*
Remote Desktop Manager Android 2025.1.3.3 and earlier
*
Remote Desktop Manager iOS 2025.1.6.0 and earlier
Severity ?
7.5 (High)
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
0 , ≤ 2025.1.34.0
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-5334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-29T14:59:46.593959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T15:02:42.279Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.34.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"iOS"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.16.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eExposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager\nallows an authenticated user to gain unauthorized access to private personal information. \n\n\n\nUnder specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects the following versions :\u003c/p\u003e\u003cul\u003e\u003cli\u003eRemote Desktop Manager Windows 2025.1.34.0 and earlier\u003c/li\u003e\u003cli\u003e\nRemote Desktop Manager macOS 2025.1.16.3 and earlier\n\n\u003cbr\u003e\u003c/li\u003e\u003cli\u003e\nRemote Desktop Manager Android 2025.1.3.3 and earlier\u003c/li\u003e\u003cli\u003e\nRemote Desktop Manager iOS 2025.1.6.0 and earlier\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager\nallows an authenticated user to gain unauthorized access to private personal information. \n\n\n\nUnder specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users.\n\n\n\n\nThis issue affects the following versions :\n\n * Remote Desktop Manager Windows 2025.1.34.0 and earlier\n * \nRemote Desktop Manager macOS 2025.1.16.3 and earlier\n\n\n\n * \nRemote Desktop Manager Android 2025.1.3.3 and earlier\n * \nRemote Desktop Manager iOS 2025.1.6.0 and earlier"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T18:24:21.477Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0009"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-5334",
"datePublished": "2025-05-29T14:47:25.817Z",
"dateReserved": "2025-05-29T14:04:27.697Z",
"dateUpdated": "2025-06-10T18:24:21.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4493 (GCVE-0-2025-4493)
Vulnerability from cvelistv5 – Published: 2025-05-28 12:35 – Updated: 2025-05-28 14:01
VLAI?
Summary
Improper privilege assignment in PAM JIT privilege sets in Devolutions
Server allows a PAM user to perform PAM JIT
requests on unauthorized groups by exploiting a user interface issue.
This issue affects the following versions :
* Devolutions Server 2025.1.3.0 through 2025.1.7.0
* Devolutions Server 2024.3.15.0 and earlier
Severity ?
6.5 (Medium)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
2025.1.3.0 , ≤ 2025.1.7.0
(custom)
Affected: 0 , ≤ 2024.3.15.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-4493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T14:01:29.783316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T14:01:58.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.7.0",
"status": "affected",
"version": "2025.1.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.3.15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper privilege assignment in PAM JIT privilege sets in Devolutions \nServer allows a PAM user to perform PAM JIT \nrequests on unauthorized groups by exploiting a user interface issue.\n\n\u003cbr\u003e\u003cp\u003eThis issue affects the following versions :\u0026nbsp;\u003c/p\u003e\u003cul\u003e\u003cli\u003eDevolutions Server 2025.1.3.0 through 2025.1.7.0\u003c/li\u003e\u003cli\u003eDevolutions Server 2024.3.15.0 and earlier \u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper privilege assignment in PAM JIT privilege sets in Devolutions \nServer allows a PAM user to perform PAM JIT \nrequests on unauthorized groups by exploiting a user interface issue.\n\n\nThis issue affects the following versions :\u00a0\n\n * Devolutions Server 2025.1.3.0 through 2025.1.7.0\n * Devolutions Server 2024.3.15.0 and earlier"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T12:35:36.654Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0008/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-4493",
"datePublished": "2025-05-28T12:35:36.654Z",
"dateReserved": "2025-05-09T12:08:57.852Z",
"dateUpdated": "2025-05-28T14:01:58.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4316 (GCVE-0-2025-4316)
Vulnerability from cvelistv5 – Published: 2025-05-05 14:00 – Updated: 2025-05-14 12:32
VLAI?
Summary
Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions.
This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.
Severity ?
4.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
2025.1.3.0 , ≤ 2025.1.6.0
(custom)
Affected: 0 , ≤ 2024.3.15.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-4316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T15:47:51.489540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T18:57:11.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.6.0",
"status": "affected",
"version": "2025.1.3.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.3.15.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\nThis issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.\n\n\n\n\n\n\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions.\n\n\n\n\n\nThis issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T12:32:48.526Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0007/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-4316",
"datePublished": "2025-05-05T14:00:50.110Z",
"dateReserved": "2025-05-05T13:54:39.887Z",
"dateUpdated": "2025-05-14T12:32:48.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3517 (GCVE-0-2025-3517)
Vulnerability from cvelistv5 – Published: 2025-05-01 18:26 – Updated: 2025-05-02 12:21
VLAI?
Summary
Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account’s SID when updating the username.
Severity ?
6.3 (Medium)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Devolutions Server |
Affected:
0 , ≤ 2025.1.5.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-3517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T18:46:35.300866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T18:47:12.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Devolutions Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eIncorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account\u2019s SID when updating the username.\n\n\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account\u2019s SID when updating the username."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T12:21:00.974Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0006/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-3517",
"datePublished": "2025-05-01T18:26:22.565Z",
"dateReserved": "2025-04-11T13:27:07.314Z",
"dateUpdated": "2025-05-02T12:21:00.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2600 (GCVE-0-2025-2600)
Vulnerability from cvelistv5 – Published: 2025-03-26 17:37 – Updated: 2025-08-26 17:43
VLAI?
Summary
Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy".
This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.
Severity ?
6.8 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
2025.1.24 , ≤ 2025.1.25
(custom)
Affected: 0 , ≤ 2024.3.29 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T18:59:34.860836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T15:01:14.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.25",
"status": "affected",
"version": "2025.1.24",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.3.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use the ELEVATED_PASSWORD variable even though not allowed by the \"Allow password in variable policy\". \u003cbr\u003e\u003cbr\u003e\n\n\n\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use the ELEVATED_PASSWORD variable even though not allowed by the \"Allow password in variable policy\". \n\n\n\n\n\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T17:43:23.847Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-2600",
"datePublished": "2025-03-26T17:37:39.621Z",
"dateReserved": "2025-03-21T13:07:59.688Z",
"dateUpdated": "2025-08-26T17:43:23.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2562 (GCVE-0-2025-2562)
Vulnerability from cvelistv5 – Published: 2025-03-26 17:24 – Updated: 2025-03-26 18:18
VLAI?
Summary
Insufficient logging in the autotyping feature in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a stored password without generating a corresponding log event, via the use of the autotyping functionality.
This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.
Severity ?
5.4 (Medium)
CWE
- CWE-778 - Insufficient Logging
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
2025.1.24 , ≤ 2025.1.25
(custom)
Affected: 0 , ≤ 2024.3.29 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T18:18:19.037045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:18:25.425Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.25",
"status": "affected",
"version": "2025.1.24",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.3.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eInsufficient logging in the autotyping feature in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a stored password without generating a corresponding log event, via the use of the autotyping functionality.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\n\n\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.\n\n\n\n\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Insufficient logging in the autotyping feature in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a stored password without generating a corresponding log event, via the use of the autotyping functionality.\n\n\n\n\n\n\n\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-778",
"description": "CWE-778: Insufficient Logging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:24:37.280Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-2562",
"datePublished": "2025-03-26T17:24:37.280Z",
"dateReserved": "2025-03-20T13:03:18.069Z",
"dateUpdated": "2025-03-26T18:18:25.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2528 (GCVE-0-2025-2528)
Vulnerability from cvelistv5 – Published: 2025-03-26 17:20 – Updated: 2025-03-26 18:55
VLAI?
Summary
Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to
use a configuration different from the one mandated by the system administrators.
This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
2025.1.24 , ≤ 2025.1.25
(custom)
Affected: 0 , ≤ 2024.3.29 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T18:55:05.604428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:55:36.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.25",
"status": "affected",
"version": "2025.1.24",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.3.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to \nuse a configuration different from the one mandated by the system administrators.\n\n\u003cbr\u003e\u003cbr\u003e\n\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.\n\n\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to \nuse a configuration different from the one mandated by the system administrators.\n\n\n\n\n\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:20:00.521Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-2528",
"datePublished": "2025-03-26T17:20:00.521Z",
"dateReserved": "2025-03-19T15:00:44.706Z",
"dateUpdated": "2025-03-26T18:55:36.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2499 (GCVE-0-2025-2499)
Vulnerability from cvelistv5 – Published: 2025-03-26 17:14 – Updated: 2025-03-26 19:31
VLAI?
Summary
Client side access control bypass in the permission component in
Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions—specifically View Password, Edit Asset, and Edit Permissions by performing specific actions.
This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.
Severity ?
5.4 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
2025.1.24 , ≤ 2025.1.25
(custom)
Affected: 0 , ≤ 2024.3.29 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T19:31:00.803040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T19:31:19.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.1.25",
"status": "affected",
"version": "2025.1.24",
"versionType": "custom"
},
{
"lessThanOrEqual": "2024.3.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-03-26T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Client side access control bypass in the permission component in \nDevolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions\u2014specifically View Password, Edit Asset, and Edit Permissions by performing specific actions. \u003cbr\u003e\u003cp\u003e\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.\u003c/p\u003e"
}
],
"value": "Client side access control bypass in the permission component in \nDevolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions\u2014specifically View Password, Edit Asset, and Edit Permissions by performing specific actions. \n\nThis issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:14:59.457Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0005/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-2499",
"datePublished": "2025-03-26T17:14:59.457Z",
"dateReserved": "2025-03-18T14:03:06.856Z",
"dateUpdated": "2025-03-26T19:31:19.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2280 (GCVE-0-2025-2280)
Vulnerability from cvelistv5 – Published: 2025-03-13 13:02 – Updated: 2025-03-19 13:22
VLAI?
Summary
Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0
and earlier allows an authenticated user to bypass the browser extension restriction feature.
Severity ?
8.1 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2024.3.4.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:15:18.224214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:17:41.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2024.3.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper access control in web extension restriction feature in Devolutions Server 2024.3.4.0\n\n and earlier allows an authenticated user to bypass the browser extension restriction feature.\u003c/div\u003e"
}
],
"value": "Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0\n\n and earlier allows an authenticated user to bypass the browser extension restriction feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T13:22:55.007Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0004/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-2280",
"datePublished": "2025-03-13T13:02:47.702Z",
"dateReserved": "2025-03-13T12:57:58.848Z",
"dateUpdated": "2025-03-19T13:22:55.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2278 (GCVE-0-2025-2278)
Vulnerability from cvelistv5 – Published: 2025-03-13 12:56 – Updated: 2025-03-18 16:18
VLAI?
Summary
Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.
Severity ?
6.5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2024.3.13
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:18:41.296906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:18:46.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2024.3.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eImproper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.\u003c/div\u003e"
}
],
"value": "Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T12:56:04.995Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0004/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-2278",
"datePublished": "2025-03-13T12:56:04.995Z",
"dateReserved": "2025-03-13T12:49:12.091Z",
"dateUpdated": "2025-03-18T16:18:46.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1636 (GCVE-0-2025-1636)
Vulnerability from cvelistv5 – Published: 2025-03-13 12:47 – Updated: 2025-03-18 16:20
VLAI?
Summary
Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic.
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
0 , ≤ 2024.3.29.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-1636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:20:46.578469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:20:55.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2024.3.29.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eExposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic.\u003c/div\u003e"
}
],
"value": "Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:28:45.691Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0004/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-1636",
"datePublished": "2025-03-13T12:47:13.034Z",
"dateReserved": "2025-02-24T16:29:56.376Z",
"dateUpdated": "2025-03-18T16:20:55.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1635 (GCVE-0-2025-1635)
Vulnerability from cvelistv5 – Published: 2025-03-13 12:47 – Updated: 2025-03-18 16:30
VLAI?
Summary
Exposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to faulty business logic.
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
0 , ≤ 2024.3.29.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-1635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:21:29.331518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:30:09.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2024.3.29.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eExposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to faulty business logic.\u003c/div\u003e"
}
],
"value": "Exposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to faulty business logic."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T12:47:06.016Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0004/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-1635",
"datePublished": "2025-03-13T12:47:06.016Z",
"dateReserved": "2025-02-24T15:37:59.245Z",
"dateUpdated": "2025-03-18T16:30:09.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2277 (GCVE-0-2025-2277)
Vulnerability from cvelistv5 – Published: 2025-03-13 12:47 – Updated: 2025-03-18 16:30
VLAI?
Summary
Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Devolutions | Server |
Affected:
0 , ≤ 2024.3.13.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-2277",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T16:30:32.395831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T16:30:53.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2024.3.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eExposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking.\u003c/div\u003e"
}
],
"value": "Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T12:47:02.631Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2025-0004/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2025-2277",
"datePublished": "2025-03-13T12:47:02.631Z",
"dateReserved": "2025-03-13T12:42:17.156Z",
"dateUpdated": "2025-03-18T16:30:53.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}