Core - Deprecated read-only and restricted permission types
Core - Entra ID now enforces secret expiration with banner and email warnings
Core - Entry security settings now use inherited values by default
Core - Error reports now include connection type details
Core - Improve Entry Security Analyzer report to include all relevant fields, matching the information already available in RDM
Core - Improved license management — disabling a user now automatically removes their assigned licenses
Core - Improved performance for access requests in RDM
Core - Linked vaults can now point to entries in the same folder
Core - Public API now supports CRUD operations for folders and vaults
Core - Renamed Log Retention Policies to Database Retention Policies and added retention options for connection history, remote sessions, and traffic events
Core - Simplified license assignment in data sources
Core - Synchronizers now support scheduling by hour
Core - Tags can now be used with inheritance rules
Core - The public API now supports full CRUD operations for vaults, allowing administrators to create, read, update, and delete vaults programmatically
Core - Users can now configure multiple MFA methods at once
Gateway - Renamed "Virtual Gateway" to "Gateway ruleset"
Gateway - Sessions can now be recorded on a different gateway than the launch gateway
Gateway - The Gateway Diagnostic window now displays whether Devolutions Agent is installed and running
Gateway - The gateway list now automatically refreshes after an update request completes
PAM - Added "Create folder" option when importing PAM accounts
PAM - Added "Workspace" as a supported application option in the PAM usage policies admin section
PAM - Improved error message when no provider is specified on a PAM account
PAM - Renamed "Scan" to "Account Discovery"
PAM - Users without a PAM license can now perform basic PAM operations, such as checking out PAM credentials, without requiring a full PAM license Assignment
Web - Added a warning in the web interface when an OTP account name contains a colon (":"), consistent with existing behavior in RDM
Web - Administrators can now set permissions on entry types that are not technically supported on the web
Web - Users can now customize the "Add connection" favorites section
Web Client - Multiple UI improvements
Web Client - Updated dark theme
Corrections
27
Core - Fixed a regression where it was no longer possible to set a user as an administrator
Core - Fixed a scheduler timeout error that could cause scheduled tasks to fail intermittently
Core - Fixed an error occurring when too many vaults were present
Core - Fixed an error that occurred when editing account login information on a deprecated entry type
Core - Fixed an issue where exported logs from the DVLS Console were being cropped and truncated
Core - Fixed an issue where forbidden passwords could still be saved in a password list entry
Core - Fixed an issue where new Active Directory user accounts were not appearing in DVLS, preventing the auto-create on first login feature from Working correctly
Core - Fixed an issue where OAuth token rejections were incorrectly returning HTTP 200 with an empty response instead of a proper error code
Core - Fixed duplicate vault cards appearing on the dashboard
Core - Fixed notification emails being sent in English for users configured in French
Core - Fixed repeated migration attempts after SQL migration and server restart
Gateway - Fixed a issue where clicking "Close" from the session kebab menu did not always close the session on the first attempt
Gateway - Fixed a missing configuration option in the Web UI for allowing additional hosts through Devolutions Gateway
Gateway - Fixed an inconsistency in how Gateway tunnels were configured and displayed between RDM and the Web UI
Gateway - Fixed an issue where enabling vault-level security on a gateway prevented it from being used in gateway farms and PAM providers
Gateway - Fixed an issue where virtual gateways were not automatically deleted when their associated physical gateway was removed, leaving orphaned entries that no longer functioned
PAM - Fixed "Nobody" account appearing when "Ignore system users" was enabled
PAM - Fixed a security issue where non-administrator users could view other users' PAM actions in the Privileged Access logs
PAM - Fixed account discovery failure caused by circular security group membership
PAM - Fixed an error that occurred when attempting to add a folder to a newly created PAM vault during the import process
PAM - Fixed an issue where Domain Quick Scan was no longer working
PAM - Fixed an issue where groups located in the Builtin organizational unit were not visible when selecting groups for JIT (Just-In-Time) elevation
PAM - Fixed Local Windows scan failure when credentials were linked
PAM - Fixed SSH scan failure when sudo was configured with NOPASSWORD
Web - Fixed inconsistent rendering of secure notes set as Markdown across different platforms
Web - Fixed the Notification Subscriptions filter not working correctly
If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version
Sécurité
5
Security Fix
PAM - Fixed incorrect authorization on PAM endpoints that allowed low-privilege users to access PAM provider and checkout policy information
Security FixCVE-2026-4828 Core - Fixed a security issue where MFA check could be bypassed when Emergency Code authentication was disabled
Security FixCVE-2026-4924 Core - Fixed a security issue where MFA could be bypassed using an alternate authentication cookie
Security FixCVE-2026-4925 Core - Fixed an issue allowing users to remove their own MFA despite enforced restrictions
Security FixCVE-2026-4989 Core - Fixed an issue where the gateway health check could be exploited for server-side request forgery (SSRF)
Corrections
7
Core - Fixed performance issues with Conditional Access Policies enabled
Core - Resolved SQL collation issues during database and web backups
Core - Restored access to sensitive User Vault information by correcting permission handling
PAM - Fixed OTP prompt appearing for brokering-only PAM accounts
Web - Fixed an error when saving user vault entries for accounts without a user vault
Web - Fixed the credit card edit component missing a reveal sensitive data button
Web - Restored ability to send Secure Messages with attachments
If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version
Sécurité
2
Security FixCVE-2026-3130PAM - Prevented deletion of checked-out PAM accounts
Security FixCVE-2026-3224Core - Fixed a critical security issue that allowed attackers to bypass Entra ID (Azure AD) authentication using a forged identity token
Améliorations
1
Gateway - Gateway list now refreshes automatically after updates
If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version
Sécurité
4
Security FixCVE-2025-13757Core - Core - Fixed SQL injection vulnerability in the last usage logs API endpoint Privileged Sessions Monitoring
Security FixCVE-2025-13757Core - Fixed SQL injection vulnerability in the last usage logs API endpoint
Security FixCVE-2025-13758Core - Fixed security issue where sensitive credentials were exposed in API responses for certain connection types (SMB, HyperV, WebDav, and others)
Security FixCVE-2025-13765Core - Fixed security issue where SMTP configuration with passwords could be viewed through the API without administrator permissions
Améliorations
5
Core - Added requirement for Entra ID secret expiration date during configuration to prevent unexpected login failures
Core - Improved Entra ID authentication by displaying warning banners and sending email alerts to administrators when secrets approach expiration
PAM - Added ability to create folders directly during PAM account import process
PAM - Improved PAM administrator access to automatically grant access to all PAM vaults without manual assignment
PAM - Reduced notification frequency for PAM health checks by sending alerts only once when accounts become out of sync
Corrections
7
Core - Fixed database permission errors for scheduler service on notification group subscriber tables
Core - Fixed database permission errors for scheduler service when inserting telemetry events
Core - Fixed duplicate key violations that occurred during server startup when users had both administrator and vault owner roles
Core - Fixed erroneous mismatch log messages during SSO authentication from RDM
Core - Fixed issue where configured additional access URIs were no longer accessible
Core - Fixed login failures and server crashes when new users attempted to authenticate
Web - Fixed issue where PAM account approval requests in the messages UI would freeze the interface and require page refresh
If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version
Sécurité
2
Security FixCVE-2025-12485Core - Fixed authentication bypass vulnerability where "Configure 2FA by user later" could be exploited to access other user accounts
Security FixCVE-2025-12808Core - Fixed password list custom values being visible to users with view-only permissions
Améliorations
1
PAM - Auto-selected PAM content type when creating a PAM vault to streamline the workflow
Corrections
6
Core - Fixed issue where custom date/time format was not displayed in user preferences when forced by admin
Core - Fixed null reference error occurring in Administration logs and Diagnostics reports
PAM - Fixed AnyIdentity provider not allowing linked credentials when using custom credential type
Web - Fixed SSH private keys not being fetched when using "Prompt on Connection" with linked credentials
Web - Fixed TypeError preventing editing of older scheduled reports
If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version
Sécurité
1
Security FixCVE-2025-11958Core - Fixed a security vulnerability that could cause the Security Dashboard to become unavailable
Fonctionnalité
14
Core - Added a "Linked (External Vault)" option for entries, allowing sessions to reference credentials stored in an external vault
Core - Added an onboarding experience for new installations to simplify initial setup
Core - Added an option to enable biometric lock for the Workspace app
Core - Added support for a custom, editable dictionary for passphrase generation
Core - Added the ability for users to create an API key for their account
Core - Added webhook support for specific trigger events
Core - Require re-authentication before allowing users to change MFA
Core - Users can now configure their own MFA
Gateway - Added a new setting to enable RDP reconnection
Gateway - Added network access rules for virtual gateways, with scoping by IP address, IP range, subnet, and DNS name
Gateway - Added virtual gateways, enabling different permissions on the same physical gateway
PAM - Added "Account Life Policies," consolidating PAM options and enabling inheritance at all levels (entry, folder, root)
PAM - Added conditional policies based on JIT elevation status
Web - Added support to disconnect WBEX sessions on close and when idle
Améliorations
14
Core - Changed default of password policy and password validation to be handled as "Inherited" - Make sure your inheritance structure is appropriate
Core - Added password expiration to password policies
Core - Added support for attachments when sending via Devo Send in DVLS
Core - Editing an entry now triggers the checkout option
Core - Improved image management with the ability to merge duplicate images
Core - Improved LDAP domain controller fallback for faster failover
Core - Improved the Entry Properties menu to align with RDM, making options easier to find
Core - Removed the ability to grant permissions on entries in vaults the user cannot access
Core - Renamed "Cleanup Log" to "Log Retention Policies"
Core - Renamed "Password Templates" to "Password Policies"
Core - Temporary access on a folder now extends to entries created in that folder after the request
PAM - Added support for editing accounts directly in RDM
PAM - Added tier detection during account discovery for domain and Entra ID accounts
PAM - Local Account scan results now exclude provider service accounts
Corrections
10
Core - Fixed an issue where renaming a folder with a backslash () would break the folder
Core - Fixed an issue where the password generator would not open when editing an entry
Core - Reduced the number of emails sent when Syslog is down
PAM - Fixed an error that occurred when adding JIT elevation to a PAM checkout
PAM - Fixed an error when importing computers from an AD scan
PAM - Fixed an issue where editing Account Life Policies could result in an infinite loading state
Web - Fixed an issue where SSH sessions returned "The authentication sequence has failed" when launched in the web client with a linked-to-vault private key
Web - Fixed an issue where web sessions could not be opened with a PAM credential
Web - Restored the top menu button when opening ARD web sessions
Web - Various user interface fixes and improvements
If you are using a client (RDM, PowerShell, etc.), version 2025.2 is required for this DVLS version
Sécurité
2
Security FixCVE-2025-13757Core - Fixed SQL injection vulnerability in the last usage logs API endpoint
Security FixCVE-2025-13758Core - Fixed security issue where sensitive credentials were exposed in API responses for certain connection types (SMB, HyperV, WebDav, and others)
Corrections
1
Core - Fixed erroneous mismatch log messages during SSO authentication from RDM
If you are using a client (RDM, PowerShell, etc.), version 2025.1 is required for this DVLS version
Sécurité
3
Security FixCVE-2025-4433 Core - Fixed an issue where a user with the User Management permission could promote users to admins via user groups
Security FixCVE-2025-4493 PAM - Fixed an issue where "Assigned provider privileges" in JIT privileged sets would select all available groups when adding a new provider privilege
Security FixCVE-2025-5382 Core - Fixed an issue where a user with the User Management permission could remove MFA from an admin user
Améliorations
1
PAM - Allowed use of the backslash character (‘') in Windows account names
Corrections
4
Core - Fixed an issue where sessions in the web client would not work when "Prompt on connection" was enabled
Core - Fixed an issue where the "Invalid License" error incorrectly appeared when editing a user
Core - Fixed an issue where users could lose all repository access, causing a red "X" to appear on vault selection in RDM
PAM - Prevented multiple emails from being sent when an account fails to reset its password on schedule
If you are using a client (RDM, PowerShell, etc.), version 2025.1 is required for this DVLS version
Sécurité
2
Security Fix
Core - Fixed a security issue in in-app Secure Messages where network requests were not properly verifying authorization
Breaking changes
Changed license validation URL from https://api.devolutions.com to https://quoting.devolutions.com. Make sure your network allows access to this URL
Fonctionnalité
6
Core - Added support for portable license feature
Core - Added support for ServiceNow as a ticketing service
Core - Added support of 'Custom + Inherited' as permission configuration
Gateway - Added a way to clean up recordings on Devolutions Gateway
Gateway - Added centralized update management
PAM - Added a new JIT provisioning account type that allows creating a user in your AD domain for the duration of the checkout time
Améliorations
23
Core - Added additional duration options for Devolutions Send message
Core - Added pwned information to the report
Core - Added recording server settings to DVLS
Core - Added search functionality in the system vault
Core - Added support for push notification to RDM devices (Android)
Core - Added support for temporary access on folders
Core - Business users can now open sessions
Core - Improved the "Launch Session" button
Core - My privileged account and My personal credentials are now saved server-side
Core - Notifications are now sent upon entry expiration
Core - The Entry security analyzer report has been improved to include password complexity compliance
Core - The Utilities menu is no longer hidden for business users
Core - User vaults can now be disabled by user
Gateway - Active session recording can now be read (session shadowing)
Gateway - Added support of dynamic connections (Quick Connect, host entries)
Gateway - Health check interval is now set to 5 minutes by default
Gateway - Storage information is now available for managing recordings
PAM - Added a filter to the Active Directory scan to exclude disabled accounts
PAM - Import all Windows local administrators instead of only the default administrator
PAM - Permissions can now be applied to folders
REST Api - Passwords in sessions can now be retrieved
Web - Documentation and attachments can't be modified if entry is checked out
Web - Sessions are now launched in the same browser tab
Corrections
20
Core - Added logging for sealing/unsealing in entry history
Core - Disabled users are now shown as disabled in secure messages
Core - Fixed a paging issue on the Gateways page
Core - Fixed a performance issue with the Data Source Log report
Core - Fixed an error when connecting with SSO in RDM
Core - Fixed an issue in the Activity Logs report where the user filter and user column did not match
Core - Fixed an issue where the "User already exists" error was no longer displayed when importing Entra ID users
Core - Fixed an issue where the JIRA ticketing service was no longer working properly
Core - Fixed an issue where users could not be added to an AD Console entry through the web
Core - Fixed an issue where users could see the User Vault in the Entry Security Analyzer
Core - Fixed an issue where Website entry templates were not visible to business user profiles
Core - Fixed the default application access value when importing multiple user groups
PAM - Fixed an issue where containers could not be selected during an AD scan
PAM - Fixed an issue where PAM account notification subscriptions were no longer working
PAM - Fixed an issue where some accounts were displayed as out of sync after a scheduled password reset
PAM - Fixed an issue where the PAM Password Rotation Report would crash when using a date filter
PAM - Fixed the test connection on PAM providers when using a linked account
PAM - Just-In-Time (JIT) groups requested at checkout are now logged
If you are using a client (RDM, PowerShell, etc.), version 2024.3 is required for this DVLS version
Sécurité
2
Security FixCVE-2025-4316 PAM - Fixed an issue where an admin could approve their own checkout even if approval was required
Security Fix
PAM - Fixed an issue where "Assigned provider privileges" in JIT privileged sets would select all available groups when adding a new provider privilege
If you are using a client (RDM, PowerShell, etc.), version 2024.3 is required for this DVLS version
Sécurité
2
Security FixCVE-2025-2003PAM - Fixed an issue where the "Add in Root" permission was not respected in PAM vaults
Breaking changes
Core - We've updated our integration with your Entra ID environment to align with Microsoft Entra's latest security policies. As part of this update, client secrets with an expiration period longer than two years are now deprecated. Please review and update your current configuration by following the instructions in the following link: https://docs.devolutions.net/server/kb/how-to-articles/azure-portal-configuration-guide-microsoft-authentication
Corrections
2
Core - Fixed an error that could occur when exporting login history
Core - Fixed an issue where the folder structure could disappear when adding or editing entries/folders in RDM
Mise à jour de la base de données requiseRDM and Devolutions Server Console 2022.2 are required to use this version
Sécurité
3
Breaking changes
Core - .NET 6.0 is now required
Breaking changes
Gateway - Devolutions Gateway now requires a license (unlicensed usage will be refused except for side-by-side installation that can have up to 5 concurrent sessions without a license)
Breaking changes
Core - Website entry (previously "Web Browser (HTTP/HTTPS)") now has Workspace browser extension enabled by default
Fonctionnalité
10
Core - Emergency access to allow an access even if providers are down (Azure or AD)
Core - New permission : "Delete Documentation"
Core - New permission : "View Sensitive"
Core - Notifications : Users can be notified on actions made on entries
Core - Security policies available to allow/deny users with different conditions
Core - Security policies available to force/skip 2FA with different conditions
Gateway - Support for new protocols : VNC, ARD, SCP, SFTP, PowerShell (WinRM, SSH), Embedded Websites
PAM - Add link with ticketing system (JIRA) to list tickets during the checkout operation
PAM - Support for password reset for MySQL users, Oracle users and Cisco users
PAM - Support for standalone privileged accounts
Améliorations
14
Core - Added "append to the username" and "prepend to the username" modes for OTP usage
Core - Added a button to test ticketing system configuration
Core - Added more fields in asset dashboard (UPN, custom fields)
Core - Added a new license for the PAM Module (the license is included for those already using the PAM module with a DVLS license bought before September 30th 2021)
PAM - Added local Windows account management
Web - Added an option to regenerate Devolutions Gateway key pair on demand
Web - Added batch edit to grant permissions all at once on an entry
Corrections
5
Core - Fixed an issue where a user can delete entries without permission
Core - Fixed the display of shortcut entries
Core - Stack overflow error when migrating the domain user groups with their SID
PAM - Fixed an issue where approval workflow didn't work when approved by an "approver"
Breaking changes
Core - The user vault has now the same features as a standard vault (i.e.: attachments, history, documentation)
Breaking changes
Introduced a distinction between sensitive properties and passwords in Information Entries. The view password permissions now only affect passwords specifically
Fonctionnalité
10
Core - Added support for Devolutions Gateway (Jet)
Core - Added the "Last login" report
Core - Added the entry type: azure service principal
Core - Added the field Tenant ID on API Key
PAM - Added a system of policies on team folders for easier management
PAM - Added the delta between results when scanning a domain
Web - Added support for default icon color
Web - Added the option when enter a licence or request a trial when the license is expired or when there is no license
Web - The interface is available in read-only when the license is expired or when there is no license
Web - The scheduled reports now support more reports
Améliorations
27
Core - Added a timeout setting to Radius configuration
Core - Added Devolutions Authentificator as a supported 2FA
Core - Added handling of the custom controls on web entries for DWL
Core - Added the authentication method on the login history report
Core - Added the expression "is not" when setting a filter on a subscription
Core - SqlException when starting a connection from a templage
Core - Syslog events, only sends the title of the stack trace
Core - Updated the library for sending emails
Web - Added a download button on document's dashboard
Web - Added a message when the license is expired
Web - Added custom fields on web entries
Web - Added multiple gateways on SCP and SFTP entries
Web - Added multiple gateways on SSH Shel, SSH Tunnel and SSH Port Forward entries
Web - Added Recents, on the new entry dialog
Web - Added recovery codes for OTPs
Web - Added the "Disconnect Data Source" option in the administration section
Web - Added the OPT on Web entries
Web - Added the option to set the "Allow Offline" to a vault
Web - Added the options to view and download the Private key
Web - changed UI
Web - Manage the password setting "Force Default Template"
Web - Remove the email being mandatory when creating a user
Web - secure message, Added the options to "Delete All" and "Mark all as read"
Web - Update the default date range to "today" instead of "Last 7 days" on the activity log report
Web - Updated Radius login labels
Web - Updated the icons
Web - Updated the scrolling when navigating to an entry from the search
Corrections
43
Core - Access was denied on api call for the documentaion
Core - Error SecurityTokenExpiredException received several time a day
Core - Error when adding an email to a user that didn't already had one
Core - Error when enabling the Windows Event Log
Core - Error when importing in the Private Vault
Core - Error with RDM on limited mode
Core - Fix access denied error on documentation
Core - Fix CORS
Core - Fix templates showing in the activity logs
Core - MaxMind GeoIP block everything
Core - Sql Injection
Core - Updated date format on reports
Core - Updated the default STMP Port
Core - Updated the SQL Queries when doing cleanup tasks to avoid timeouts
Core - Wrong log in "Connected User" report when connected from the Launcher
RDM - Cannot download Session recording form Recording Server in RDM
Web - "Prompt for comment" memo is overflow window is not tall enough
Web - Bad email format result in JSON error when editing a user
Web - Checkout UI issue on Firefox
Web - Error when trying to upload an SSH key
Web - Fix cannot assign users and user groups when creation a vault
Web - Fix error on reports when no vault is selected
Web - Fix loading the domain user speed issue
Web - Fix secure message color in dark mode
Web - Fix should not be able to set status on an entry when a check out is required
Web - Fix the vault menu item being available when there are no vault
Web - Fix variable not resolved on connections
Web - Fix variable not resolved on sub-connections
Web - Infinite loading when Azure token expires
Web - Missing icons on the web interface
Web - notification subscriber edit window is not tall enough
Web - On the Login History reports is not showing all entries
Web - RDP Template doesn't save "local ressources"
Web - Tab title is not updated
Web - The licence count is not updated when managing licenses
Web - The password reset is not applied when switching users
Web - The recurrence is not shown properly on the scheduled report calendar
Web - The website does not load properly when the the database is not reachable
Web - UI issue in Vault on Firefox
Web - UI issue when adding a user
Web - Unable to create a Contact Company entry in a folder
Web - User loses its license when changing the user type
