Sicherheit & Regelkonformität
Wir halten die höchsten Standards ein, um Ihre Daten zu schützen und Vertrauen zu gewährleisten.
DEVO-2026-0005
Devolutions Server and Remote Desktop Manager are affected by multiple vulnerabilities.
Betroffene Produkte
Änderungsprotokoll
Initial publication - 2026-03-03
9.5 Critical - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Broken authentication in Microsoft Authentication mode of Devolutions Server
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
The victim email must be known for the attack to succeed.
Betroffene Produkte
CVE(s)
CVE-2026-3224
Behebungen und Workarounds
Upgrade to Devolutions Server 2025.3.16 or higher
If upgrade is not possible, Microsoft authentication mode should be disabled.
Danksagungen
truff
5.1 Medium - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N
Improper Enforcement of Behavioral Controls in PAM Multi-Account Deletion
Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion. This can bypass intended protections and may interfere with Just-in-Time (JIT) privilege revocation, potentially resulting in persistent elevated privileges.
Betroffene Produkte
CVE(s)
CVE-2026-3130
Behebungen und Workarounds
Upgrade to Devolutions Server 2025.3.16 or 2026.1
5.1 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Tamperable error messages
The error message page in Devolutions Server displayed a message provided in the URL. This could be used by a malicious actor to display spoofed error messages, for example in phishing attempts.
The page was modified to display error messages based on error codes.
Betroffene Produkte
CVE(s)
CVE-2026-3130
Behebungen und Workarounds
Upgrade to DVLS 2025.3.16 or 2026.1
2.0 Low - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Passwords can be saved when password saving is disabled
Passwords of some connection types could still be saved even when the option “Disable password saving in vaults” is enabled in System Settings.
The affected connection types are:
- AWS dashboard
- AWS Identity and Access Management (IAM)
- Microsoft Azure Table Storage Explorer
- BeyondTrust Admin session
- Dell iDRAC
- Google Cloud explorer
- HP iLO
- Autofill login (native application)
- Proxmox dashboard
- Salesforce Cloud
- Splashtop dashboard
- TN3270
- IBM5250
- CyberArk dashboard
- Amazon EC2
Betroffene Produkte
CVE(s)
CVE-2026-2590
Behebungen und Workarounds
Upgrade to Remote Desktop Manager 2026.1