Devolutions

By the Year

In 2026 there have been 11 vulnerabilities in Devolutions with an average score of 7.7 out of ten. Last year, in 2025 Devolutions had 34 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Devolutions in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.69.

Recent Devolutions Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-3638	Mar 09, 2026	Low-Priv Auth Restores Users/roles via API on Devolutions Server 2025.3.11.0 Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.
CVE-2026-3130	Mar 03, 2026	Devolutions Server 2025.3.15: Auth Bulk Delete Triggers CheckedOut PAM Removal Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
CVE-2026-3204	Mar 03, 2026	Devolutions Server 2025.3.15 Improper Validation Spoofing (Err Msg Page) Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
CVE-2026-2590	Mar 03, 2026	Disable-Password-Saving not enforced in Devolutions RDM 2025.3.30 (Connection Entry) Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled.	Remote Desktop Manager
CVE-2026-3224	Mar 03, 2026	Devolutions Server 2025.3.15.0: Auth bypass via forged JWT (Entra ID) Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
CVE-2026-3277	Feb 27, 2026	Cleartext OIDC Client Secret in PowerShell Universal < 2026.1.3 The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials
CVE-2026-3221	Feb 25, 2026	Devolutions Server 2025.3.14: Unencrypted user data in DB (CVE-2026-3221) Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.
CVE-2026-1007	Jan 19, 2026	Devolutions Server 2025.3.1-12 VG Auth Bypass Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
CVE-2026-0610	Jan 19, 2026	SQL Injection in Devolutions Server 2025.3.1-2025.3.12 remote-sessions SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
CVE-2026-0747	Jan 08, 2026	Devolutions RD Manager <2025.3.29: Pwd leak via TeamViewer entry mask on Win Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.	Remote Desktop Manager
CVE-2026-0618	Jan 07, 2026	XSS in Devolutions PowerShell Universal <5.6.13 / <4.5.6 Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
CVE-2025-13683	Nov 28, 2025	Devolutions Server/Remote Desktop Manager Credential Leak 2025.3.8/2025.3.23 Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.	Remote Desktop Manager
CVE-2025-13758	Nov 27, 2025	Devolutions Server <=2025.3.8 Creds Exposure via Unintended Requests Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.	Devolutions Server
CVE-2025-13757	Nov 27, 2025	SQL Injection in Devolutions Server before 2025.3.8 SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.	Devolutions Server
CVE-2025-13765	Nov 27, 2025	Devolutions Server <2025.2.21 & <2025.3.9: Non-Admin Credential Exposure Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.	Devolutions Server
CVE-2025-12485	Nov 06, 2025	Devolutions Server 2025.3.5 PreMFA Cookie Privilege Escalation Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier	Devolutions Server
CVE-2025-12808	Nov 06, 2025	Devolutions Server <2025.3.5.0: View-only can pull password custom values Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier	Devolutions Server
CVE-2025-11957	Oct 22, 2025	Devolutions Server 2025.2.12.0: Improper Auth in Temp Access via API Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.	Devolutions Server
CVE-2025-11958	Oct 22, 2025	DoS via crafted request in Sec. Dashboard ignored-tasks API Devolutions Server 2025.2.15 An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted request.	Devolutions Server
CVE-2025-11619	Oct 15, 2025	Devolutions Server 2025.3.2-and-earlier: Improper Cert Validation Enables MitM Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.	Devolutions Server
CVE-2025-8312	Jul 30, 2025	Deadlock bypasses PAM checkin to keep passwords valid in Devolutions <=2025.2.5.0 Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) : * Devolutions Server 2025.2.2.0 through 2025.2.5.0 * Devolutions Server 2025.1.12.0 and earlier	Devolutions Server
CVE-2025-8353	Jul 30, 2025	Devolutions Server 2025.2.4.0 and earlier: UI Sync RCE in JIT Approval UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.	Devolutions Server
CVE-2025-6523	Jul 22, 2025	Auth Bypass via weak emergency codes in Devolutions Server 2025.2.2.0-2025.2.3.0 Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.3.0 * Devolutions Server 2025.1.11.0 and earlier	Devolutions Server
CVE-2025-6741	Jul 22, 2025	Unauth Access to Secure Message Attachments in Devolutions Server V2025.2.2-4 Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.4.0 * Devolutions Server 2025.1.11.0 and earlier	Devolutions Server
CVE-2025-0691	Jun 05, 2025	Improper Access Control in Devolutions Server before 2025.1.10.0 Permissions Component Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.	Devolutions Server
CVE-2025-3768	Jun 05, 2025	Devolutions Server 2025.1.10.0 – Tor Block Access Control Issue Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.	Devolutions Server
CVE-2025-5382	Jun 05, 2025	Devolutions Server MFA Admin Access Control Flaw – 2025.1.7.0 & earlier Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.	Devolutions Server
CVE-2025-4433	May 30, 2025	Privilege Escalation via Improper Access Control in Devolutions Server 2025.1.7 Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation by adding users to groups with administrative privileges.	Devolutions Server
CVE-2025-5334	May 29, 2025	Remote Desktop Manager <=2025.1.34.0 User Vaults Leak Data; Unauthorized Access Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager allows an authenticated user to gain unauthorized access to private personal information. Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users. This issue affects the following versions : * Remote Desktop Manager Windows 2025.1.34.0 and earlier * Remote Desktop Manager macOS 2025.1.16.3 and earlier * Remote Desktop Manager Android 2025.1.3.3 and earlier * Remote Desktop Manager iOS 2025.1.6.0 and earlier	Remote Desktop Manager
CVE-2025-4493	May 28, 2025	Devolutions Server (v2025.1.3-2025.1.7) Improper PAM JIT Privilege Assignment Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface issue. This issue affects the following versions :  * Devolutions Server 2025.1.3.0 through 2025.1.7.0 * Devolutions Server 2024.3.15.0 and earlier	Devolutions Server
CVE-2025-4316	May 05, 2025	Devolutions Server 2025.1.3.0-2025.1.6.0: PAM Self-Approval Access Control Flaw Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.	Devolutions Server
CVE-2025-3517	May 01, 2025	Privilege Escalation via PAM JIT in Devolutions Server 2025.1.5.0 Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal accounts SID when updating the username.	Devolutions Server
CVE-2025-2499	Mar 26, 2025	Client-Side ACL Bypass in Devolutions RM 2025.1.24-25 Permissions Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictionsspecifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2528	Mar 26, 2025	Improper Auth: Remote Desktop Manager 2025.1.24-2025.1.25 Bypass-PW Policy Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a configuration different from the one mandated by the system administrators. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2562	Mar 26, 2025	Insufficient Logging in Devolutions RDM Autotyping (2025.1.24-25, <=2024.3.29) Insufficient logging in the autotyping feature in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a stored password without generating a corresponding log event, via the use of the autotyping functionality. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2600	Mar 26, 2025	Remote Desktop Manager 2025.1.24-25 Improper Authorization of ELEVATED_PASSWORD Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated password to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy". This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-1635	Mar 13, 2025	Remote Desktop Manager 2024.3.29 Exposes Sensitive Session Data via Hub Export on Windows Exposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to faulty business logic.	Remote Desktop Manager
CVE-2025-1636	Mar 13, 2025	Remote Desktop Manager <=2024.3.29: Credentials Leakage via Clear History Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic.	Remote Desktop Manager
CVE-2025-2277	Mar 13, 2025	Devolutions Server <=2024.3.13 Leaks SSH Password via Web Auth Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking.	Devolutions Server
CVE-2025-2278	Mar 13, 2025	Devolutions Server 2024.3.13 – Improper Access on Temp & Checkout Endpoints Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.	Devolutions Server
CVE-2025-2280	Mar 13, 2025	Improper ACL in Devolutions Server 2024.3.4.0 Web Ext Restriction Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature.	Devolutions Server
CVE-2025-2003	Mar 05, 2025	Devolutions Server 2024.3.12 - PAM Vault Authorization Bypass Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.	Devolutions Server
CVE-2025-1231	Feb 11, 2025	PAM Password Reset Reuse Oracle Password Devolutions Server 2024.3 Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality.	Devolutions Server
CVE-2025-1193	Feb 10, 2025	CVE-2025-1193: RDM Improper host validation in cert verification (pre-2024.3.19) Improper host validation in the certificate validation component in Devolutions Remote Desktop Manager on 2024.3.19 and earlier on Windows allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack by presenting a certificate for a different host.	Remote Desktop Manager
CVE-2024-11621	Feb 10, 2025	Devolutions RDM Cert Validation Flaw (MITM) before 2024.3.9.0 Missing certificate validation in Devolutions Remote Desktop Manager on macOS, iOS, Android, Linux allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack. Versions affected are : Remote Desktop Manager macOS 2024.3.9.0 and earlier Remote Desktop Manager Linux 2024.3.2.5 and earlier Remote Desktop Manager Android 2024.3.3.7 and earlier Remote Desktop Manager iOS 2024.3.3.0 and earlier Remote Desktop Manager Powershell 2024.3.6.0 and earlier	Remote Desktop Manager Remote Desktop Manager Powershell
CVE-2024-12148	Dec 04, 2024	Devolutions Server 2024.3.6.0 Auth Bypass in Permission Validation Component Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.	Devolutions Server
CVE-2024-12149	Dec 04, 2024	Devolutions RDM Temp Access Request Privilege Escalation (<=2024.3.19) Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0 and earlier on Windows allows an authenticated user that request temporary permissions on an entry to obtain more privileges than requested.	Remote Desktop Manager
CVE-2024-12151	Dec 04, 2024	Devolutions Server 2024.3.8.0: Migration Permission Bypass Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.	Devolutions Server
CVE-2024-12196	Dec 04, 2024	Auth Authorization Flaw: View Password History in Devolutions Server <2024.3.7.0 Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.	Devolutions Server
CVE-2024-11672	Nov 25, 2024	Devolutions Remote Desktop Manager: Incorrect Authorization in Add Permission Component Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import in vault feature.	Remote Desktop Manager