cbcvebase.

Devolutions Server vulnerabilities

104 known vulnerabilities affecting devolutions/devolutions_server.

Total CVEs
104
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH26MEDIUM60LOW9UNKNOWN3

Vulnerabilities

Page 2 of 6
CVE-2025-11619P3HIGHCVSS 8.8fixed in 2025.2.15.0≥ 2025.3.2.0, < 2025.3.3.0+1 more2025-10-15
CVE-2025-11619 [HIGH] CWE-295 CVE-2025-11619: Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earli Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.
nvd
CVE-2025-6741P3HIGHCVSS 7.7≤ 2025.1.11.0≥ 2025.2.2.0, < 2025.2.5.02025-07-22
CVE-2025-6741 [HIGH] CWE-284 CVE-2025-6741: Improper access control in secure message component in Devolutions Server allows an authenticated us Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.4.0 * Devolutions Server 2025.1.11.0 and earlier
nvd
CVE-2024-1764P3HIGHCVSS 7.6fixed in 2023.3.16.02024-03-05
CVE-2024-1764 [HIGH] CWE-269 CVE-2024-1764: Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14 Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumstances
nvd
CVE-2023-5240P3HIGHCVSS 7.5≤ 2023.2.8.02023-10-13
CVE-2023-5240 [HIGH] CWE-284 CVE-2023-5240: Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allow Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage PAM propagation scripts to retrieve passwords stored in it via a GET request.
nvd
CVE-2021-28157P3HIGHCVSS 7.2fixed in 2020.3.18fixed in 2021.12021-04-14
CVE-2021-28157 [HIGH] CWE-89 CVE-2021-28157: An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3. An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
nvd
CVE-2021-23923P3HIGHCVSS 8.1fixed in 2020.32021-04-01
CVE-2021-23923 [HIGH] CWE-287 CVE-2021-23923: An issue was discovered in Devolutions Server before 2020.3. There is Broken Authentication with Win An issue was discovered in Devolutions Server before 2020.3. There is Broken Authentication with Windows domain users.
nvd
CVE-2026-4434P3HIGHCVSS 8.1fixed in 2026.1.6.02026-03-20
CVE-2026-4434 [HIGH] CWE-295 CVE-2026-4434: Improper certificate validation in the PAM propagation WinRM connections allows a network attacker Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.
nvd
CVE-2026-1007P3HIGHCVSS 7.6≥ 2025.3.1.0, < 2025.3.14.02026-01-19
CVE-2026-1007 [HIGH] CWE-863 CVE-2026-1007: Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows atta Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
nvd
CVE-2026-7325P3HIGHCVSS 7.1fixed in 2025.3.22.0≥ 2026.1.6.0, < 2026.1.19.02026-05-22
CVE-2026-7325 [HIGH] CWE-918 CVE-2026-7325: Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-p Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * De
nvd
CVE-2026-3131P3MEDIUMCVSS 6.5fixed in 2025.3.15.02026-02-24
CVE-2026-3131 [MEDIUM] CWE-200 CVE-2026-3131: Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data.
nvd
CVE-2026-10544P3MEDIUMCVSS 6.5fixed in 2026.1.21.0v2026.2.4.02026-06-08
CVE-2026-10544 [MEDIUM] CWE-78 CVE-2026-10544: Improper neutralization of special elements in the built-in PAM provider password rotation templates Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0
nvd
CVE-2024-4846P3MEDIUMCVSS 6.3fixed in 2024.1.15.02024-06-25
CVE-2024-4846 [MEDIUM] CWE-290 CVE-2024-4846: Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an aut Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab.
nvd
CVE-2025-2003P3HIGHCVSS 7.1fixed in 2024.3.13.02025-03-05
CVE-2025-2003 [HIGH] CWE-863 CVE-2025-2003: Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenti Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.
nvd
CVE-2025-8312P3HIGHCVSS 7.1fixed in 2025.2.7.02025-07-30
CVE-2025-8312 [HIGH] CWE-833 CVE-2025-8312: Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid b Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) : * Devolutions Server 2025.2.2.0 through 2025.2.5.0 * Devolutions Server 2025.1.12.0 and earlier
nvd
CVE-2025-12808P3MEDIUMCVSS 6.5fixed in 2025.2.17.0≥ 2025.3.2.0, < 2025.3.6.02025-11-06
CVE-2025-12808 [MEDIUM] CWE-284 CVE-2025-12808: Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nes Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier
nvd
CVE-2026-6706P3MEDIUMCVSS 6.5fixed in 2025.3.19.0≥ 2026.1.6.0, < 2026.1.15.02026-04-28
CVE-2026-6706 [MEDIUM] CWE-862 CVE-2026-6706: Improper access control in the vault documentation feature in Devolutions Server allows an authent Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.
nvd
CVE-2026-10786P3MEDIUMCVSS 6.5fixed in 2026.1.21.0v2026.2.4.02026-06-08
CVE-2026-10786 [MEDIUM] CWE-312 CVE-2026-10786: Improper access control in the ticketing integration settings in Devolutions Server allows an authen Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
nvd
CVE-2025-13683P3MEDIUMCVSS 6.5fixed in 2025.3.10.02025-11-28
CVE-2025-13683 [MEDIUM] CWE-200 CVE-2025-13683: Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Wind Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.
nvd
CVE-2025-8353P3MEDIUMCVSS 5.9fixed in 2025.2.5.02025-07-30
CVE-2025-8353 [MEDIUM] CWE-446 CVE-2025-8353: UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.
nvd
CVE-2024-5072P3MEDIUMCVSS 6.5fixed in 2024.1.12.02024-05-17
CVE-2024-5072 [MEDIUM] CVE-2024-5072: Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user with access to the PAM JIT elevation feature to manipulate the LDAP filter query via a specially crafted request.
nvd
Devolutions Server vulnerabilities | cvebase