Devolutions 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk sql injection, and vendor risk input validation に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise and vendor impact data exposure などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-6523 | Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.3.0 * Devolutions Server 2025.1.11.0 and earlier | [email protected] | 9.5 | 0.38% | 2025-07-22 | 2025-11-25 |
| CVE-2025-5382 | Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA. | [email protected] | 6.8 | 0.34% | 2025-06-05 | 2025-07-02 |
| CVE-2025-3768 | Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable. | [email protected] | 5.0 | 0.17% | 2025-06-05 | 2025-07-02 |
| CVE-2025-0691 | Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation. | [email protected] | 5.0 | 0.26% | 2025-06-05 | 2025-07-02 |
| CVE-2025-4433 | Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation by adding users to groups with administrative privileges. | [email protected] | 8.7 | 0.45% | 2025-05-30 | 2025-11-25 |
| CVE-2025-5334 | Exposure of private personal information to an unauthorized actor in the user vaults component of Devolutions Remote Desktop Manager allows an authenticated user to gain unauthorized access to private personal information. Under specific circumstances, entries may be unintentionally moved from user vaults to shared vaults when edited by their owners, making them accessible to other users. This issue affects the following versions : * Remote Desktop Manager Windows 2025.1.34.0 and ear | [email protected] | 7.5 | 0.48% | 2025-05-29 | 2025-07-02 |
| CVE-2025-4493 | Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface issue. This issue affects the following versions : * Devolutions Server 2025.1.3.0 through 2025.1.7.0 * Devolutions Server 2024.3.15.0 and earlier | [email protected] | 6.5 | 0.31% | 2025-05-28 | 2025-06-25 |
| CVE-2025-4316 | Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the configured policy via specific user interface actions. This issue affects Devolutions Server versions from 2025.1.3.0 through 2025.1.6.0, and all versions up to 2024.3.15.0. | [email protected] | 4.3 | 0.30% | 2025-05-05 | 2025-06-17 |
| CVE-2025-3517 | Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account’s SID when updating the username. | [email protected] | 6.3 | 0.27% | 2025-05-01 | 2025-06-17 |
| CVE-2025-2600 | Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy". This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. | [email protected] | 6.8 | 0.36% | 2025-03-26 | 2025-08-26 |
| CVE-2025-2562 | Insufficient logging in the autotyping feature in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a stored password without generating a corresponding log event, via the use of the autotyping functionality. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. | [email protected] | 5.4 | 0.36% | 2025-03-26 | 2025-07-02 |
| CVE-2025-2528 | Improper authorization in application password policy in Devolutions Remote Desktop Manager on Windows allows an authenticated user to use a configuration different from the one mandated by the system administrators. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. | [email protected] | 3.6 | 0.15% | 2025-03-26 | 2025-07-02 |
| CVE-2025-2499 | Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions—specifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29. | [email protected] | 5.4 | 0.30% | 2025-03-26 | 2025-07-02 |
| CVE-2025-2280 | Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature. | [email protected] | 8.1 | 0.47% | 2025-03-13 | 2025-03-28 |
| CVE-2025-2278 | Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID. | [email protected] | 6.5 | 0.42% | 2025-03-13 | 2025-03-28 |
| CVE-2025-2277 | Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking. | [email protected] | 7.5 | 0.52% | 2025-03-13 | 2025-03-28 |
| CVE-2025-1636 | Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic. | [email protected] | 6.5 | 1.58% | 2025-03-13 | 2025-03-28 |
| CVE-2025-1635 | Exposure of sensitive information in hub data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a hub data source to include his authenticated session in the export due to faulty business logic. | [email protected] | 6.5 | 1.58% | 2025-03-13 | 2025-03-28 |
| CVE-2025-2003 | Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission. | [email protected] | 7.1 | 0.41% | 2025-03-05 | 2025-03-28 |
| CVE-2025-1231 | Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user password after check-in due to crash in the password reset functionality. | [email protected] | 5.4 | 0.32% | 2025-02-11 | 2025-03-28 |