Shodan
Vulnerabilities
Vulnerable Software
Devolutions:  >> Devolutions Server  >> 2025.3.15.0  Security Vulnerabilities
CVE-2026-4828
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-04-01
CVE-2026-4829
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-01
CVE-2026-4924
Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-04-01
CVE-2026-4989
Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-04-01
CVE-2026-4434
Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.
CVSS Score
8.1
EPSS Score
0.0
Published
2026-03-20
CVE-2026-3130
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-03-03
CVE-2026-3204
Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
CVSS Score
9.8
EPSS Score
0.001
Published
2026-03-03
CVE-2026-3224
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
CVSS Score
9.8
EPSS Score
0.001
Published
2026-03-03


Products
Pricing
Contact Us

Shodan ® - All rights reserved