Devolutions

By the Year

In 2026 there have been 4 vulnerabilities in Devolutions with an average score of 6.7 out of ten. Last year, in 2025 Devolutions had 34 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. Last year, the average CVE base score was greater by 0.29

Recent Devolutions Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-1007	Jan 19, 2026	Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
CVE-2026-0610	Jan 19, 2026	SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12 SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
CVE-2026-0747	Jan 08, 2026	Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.	Remote Desktop Manager
CVE-2026-0618	Jan 07, 2026	Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6 Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
CVE-2025-13683	Nov 28, 2025	Devolutions Server/Remote Desktop Manager Credential Leak 2025.3.8/2025.3.23 Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0.	Remote Desktop Manager
CVE-2025-13758	Nov 27, 2025	Devolutions Server <=2025.3.8 Creds Exposure via Unintended Requests Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.	Devolutions Server
CVE-2025-13757	Nov 27, 2025	SQL Injection in Devolutions Server before 2025.3.8 SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8.	Devolutions Server
CVE-2025-13765	Nov 27, 2025	Devolutions Server <2025.2.21 & <2025.3.9: Non-Admin Credential Exposure Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.	Devolutions Server
CVE-2025-12485	Nov 06, 2025	Devolutions Server 2025.3.5 PreMFA Cookie Privilege Escalation Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier	Devolutions Server
CVE-2025-12808	Nov 06, 2025	Devolutions Server <2025.3.5.0: View-only can pull password custom values Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier	Devolutions Server
CVE-2025-11957	Oct 22, 2025	Devolutions Server 2025.2.12.0: Improper Auth in Temp Access via API Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.	Devolutions Server
CVE-2025-11958	Oct 22, 2025	DoS via crafted request in Sec. Dashboard ignored-tasks API Devolutions Server 2025.2.15 An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted request.	Devolutions Server
CVE-2025-11619	Oct 15, 2025	Devolutions Server 2025.3.2-and-earlier: Improper Cert Validation Enables MitM Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.	Devolutions Server
CVE-2025-8312	Jul 30, 2025	Deadlock bypasses PAM checkin to keep passwords valid in Devolutions <=2025.2.5.0 Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) : * Devolutions Server 2025.2.2.0 through 2025.2.5.0 * Devolutions Server 2025.1.12.0 and earlier	Devolutions Server
CVE-2025-8353	Jul 30, 2025	Devolutions Server 2025.2.4.0 and earlier: UI Sync RCE in JIT Approval UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.	Devolutions Server
CVE-2025-6523	Jul 22, 2025	Auth Bypass via weak emergency codes in Devolutions Server 2025.2.2.0-2025.2.3.0 Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.3.0 * Devolutions Server 2025.1.11.0 and earlier	Devolutions Server
CVE-2025-6741	Jul 22, 2025	Unauth Access to Secure Message Attachments in Devolutions Server V2025.2.2-4 Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.4.0 * Devolutions Server 2025.1.11.0 and earlier	Devolutions Server
CVE-2025-0691	Jun 05, 2025	Improper Access Control in Devolutions Server before 2025.1.10.0 Permissions Component Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.	Devolutions Server
CVE-2025-3768	Jun 05, 2025	Devolutions Server 2025.1.10.0 – Tor Block Access Control Issue Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.	Devolutions Server
CVE-2025-5382	Jun 05, 2025	Devolutions Server MFA Admin Access Control Flaw – 2025.1.7.0 & earlier Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.	Devolutions Server
CVE-2025-4433	May 30, 2025	Privilege Escalation via Improper Access Control in Devolutions Server 2025.1.7 Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation by adding users to groups with administrative privileges.	Devolutions Server
CVE-2025-5334	May 29, 2025	Remote Desktop Manager <=2025.1.34.0 User Vaults Leak Data; Unauthorized Access Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager allows an authenticated user to gain unauthorized access to private personal information. Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users. This issue affects the following versions : * Remote Desktop Manager Windows 2025.1.34.0 and earlier * Remote Desktop Manager macOS 2025.1.16.3 and earlier * Remote Desktop Manager Android 2025.1.3.3 and earlier * Remote Desktop Manager iOS 2025.1.6.0 and earlier	Remote Desktop Manager
CVE-2025-4493	May 28, 2025	Devolutions Server (v2025.1.3-2025.1.7) Improper PAM JIT Privilege Assignment Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface issue. This issue affects the following versions :  * Devolutions Server 2025.1.3.0 through 2025.1.7.0 * Devolutions Server 2024.3.15.0 and earlier	Devolutions Server
CVE-2025-4316	May 05, 2025	Devolutions Server 2025.1.3.0-2025.1.6.0: PAM Self-Approval Access Control Flaw Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0.	Devolutions Server
CVE-2025-3517	May 01, 2025	Privilege Escalation via PAM JIT in Devolutions Server 2025.1.5.0 Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal accounts SID when updating the username.	Devolutions Server
CVE-2025-2499	Mar 26, 2025	Client-Side ACL Bypass in Devolutions RM 2025.1.24-25 Permissions Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictionsspecifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2528	Mar 26, 2025	Improper Auth: Remote Desktop Manager 2025.1.24-2025.1.25 Bypass-PW Policy Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a configuration different from the one mandated by the system administrators. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2562	Mar 26, 2025	Insufficient Logging in Devolutions RDM Autotyping (2025.1.24-25, <=2024.3.29) Insufficient logging in the autotyping feature in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a stored password without generating a corresponding log event, via the use of the autotyping functionality. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-2600	Mar 26, 2025	Remote Desktop Manager 2025.1.24-25 Improper Authorization of ELEVATED_PASSWORD Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated password to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy". This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.	Remote Desktop Manager
CVE-2025-1636	Mar 13, 2025	Remote Desktop Manager <=2024.3.29: Credentials Leakage via Clear History Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic.	Remote Desktop Manager
CVE-2025-1635	Mar 13, 2025	Remote Desktop Manager 2024.3.29 Exposes Sensitive Session Data via Hub Export on Windows Exposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to faulty business logic.	Remote Desktop Manager
CVE-2025-2277	Mar 13, 2025	Devolutions Server <=2024.3.13 Leaks SSH Password via Web Auth Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking.	Devolutions Server
CVE-2025-2278	Mar 13, 2025	Devolutions Server 2024.3.13 – Improper Access on Temp & Checkout Endpoints Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.	Devolutions Server
CVE-2025-2280	Mar 13, 2025	Improper ACL in Devolutions Server 2024.3.4.0 Web Ext Restriction Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature.	Devolutions Server
CVE-2025-2003	Mar 05, 2025	Devolutions Server 2024.3.12 - PAM Vault Authorization Bypass Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.	Devolutions Server
CVE-2025-1231	Feb 11, 2025	PAM Password Reset Reuse Oracle Password Devolutions Server 2024.3 Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality.	Devolutions Server
CVE-2025-1193	Feb 10, 2025	CVE-2025-1193: RDM Improper host validation in cert verification (pre-2024.3.19) Improper host validation in the certificate validation component in Devolutions Remote Desktop Manager on 2024.3.19 and earlier on Windows allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack by presenting a certificate for a different host.	Remote Desktop Manager
CVE-2024-11621	Feb 10, 2025	Devolutions RDM Cert Validation Flaw (MITM) before 2024.3.9.0 Missing certificate validation in Devolutions Remote Desktop Manager on macOS, iOS, Android, Linux allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack. Versions affected are : Remote Desktop Manager macOS 2024.3.9.0 and earlier Remote Desktop Manager Linux 2024.3.2.5 and earlier Remote Desktop Manager Android 2024.3.3.7 and earlier Remote Desktop Manager iOS 2024.3.3.0 and earlier Remote Desktop Manager Powershell 2024.3.6.0 and earlier	Remote Desktop Manager Remote Desktop Manager Powershell
CVE-2024-12196	Dec 04, 2024	Auth Authorization Flaw: View Password History in Devolutions Server <2024.3.7.0 Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.	Devolutions Server
CVE-2024-12151	Dec 04, 2024	Devolutions Server 2024.3.8.0: Migration Permission Bypass Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.	Devolutions Server
CVE-2024-12149	Dec 04, 2024	Devolutions RDM Temp Access Request Privilege Escalation (<=2024.3.19) Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0 and earlier on Windows allows an authenticated user that request temporary permissions on an entry to obtain more privileges than requested.	Remote Desktop Manager
CVE-2024-12148	Dec 04, 2024	Devolutions Server 2024.3.6.0 Auth Bypass in Permission Validation Component Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.	Devolutions Server
CVE-2024-11672	Nov 25, 2024	Devolutions Remote Desktop Manager: Incorrect Authorization in Add Permission Component Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import in vault feature.	Remote Desktop Manager
CVE-2024-11670	Nov 25, 2024	Devolutions Remote Desktop Manager: Incorrect Authorization in Permission Validation Component Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific actions.	Remote Desktop Manager
CVE-2024-11671	Nov 25, 2024	Devolutions Remote Desktop Manager: Improper Authentication Bypass in SQL Data Source MFA Validation Improper authentication in SQL data source MFA validation in Devolutions Remote Desktop Manager 2024.3.17 and earlier on Windows allows an authenticated user to bypass the MFA validation via data source switching.	Remote Desktop Manager
CVE-2024-10971	Nov 12, 2024	Devolutions DVLS Password History Improper Access Control (2024.3.6) Improper access control in the Password History feature in Devolutions DVLS 2024.3.6 and earlier allows a malicious authenticated user to obtain sensitive data via faulty permission.	Devolutions Server
CVE-2024-7421	Sep 25, 2024	Info Exposure in Devolutions RDM 2024.2.20.0 via WinSCP Cmd-Line Args An information exposure in Devolutions Remote Desktop Manager 2024.2.20.0 and earlier on Windows allows local attackers with access to system logs to obtain session credentials via passwords included in command-line arguments when launching WinSCP sessions	Remote Desktop Manager
CVE-2024-6512	Sep 25, 2024	Auth Bypass in Devolutions Server 2024.2.10 via PAM Access Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism.	Devolutions Server
CVE-2024-6492	Jul 16, 2024	Sensitive Data Exposure via session proxy in Devolutions RDM 2024.2.14.0 (pre) Exposure of Sensitive Information in edge browser session proxy feature in Devolutions Remote Desktop Manager 2024.2.14.0 and earlier on Windows allows an attacker to intercept proxy credentials via a specially crafted website.	Remote Desktop Manager
CVE-2024-6354	Jun 26, 2024	Improper Access Control: PAM Dashboard Bypass (RDM 2024.2.11earlier) Improper access control in PAM dashboard in Devolutions Remote Desktop Manager 2024.2.11 and earlier on Windows allows an authenticated user to bypass the execute permission via the use of the PAM dashboard.	Remote Desktop Manager