Devolutions: >> Devolutions Server >> 2025.2.8.0 Security Vulnerabilities
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step.
This issue affects the following versions :
* Devolutions Server 2025.3.2.0 through 2025.3.5.0
*
Devolutions Server 2025.2.15.0 and earlier
CVSS Score
8.8
EPSS Score
0.0
Published
2025-11-06
Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.
This issue affects the following versions :
* Devolutions Server 2025.3.2.0 through 2025.3.5.0
*
Devolutions Server 2025.2.15.0 and earlier
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-06
Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.
CVSS Score
8.4
EPSS Score
0.001
Published
2025-10-22
An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an authenticated user to cause a denial of service to the Security Dashboard via a crafted request.
CVSS Score
4.1
EPSS Score
0.001
Published
2025-10-22
Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-10-15