Security & compliance
Upholding the highest standards to protect your data and ensure trust.
DEVO-2025-0004
Remote Desktop Manager and Devolutions Server are affected by vulnerabilities.
Affected Products
Change Log
2025/03/13 - Initial publication 2025/03/26 - Updated fixed versions due to backporting the security fixes.
Exposure of sensitive information in My Personal Credentials password history component
6.9 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Exposure of sensitive information in My Personal Credentials password history component in Devolutions Remote Desktop Manager 2024.3.29 and earlier allows an authenticated user to inadvertently leak the My Personal Credentials in a shared vault via the clear history feature due to faulty business logic.
CVE(s)
CVE-2025-1636
Remediation and Workarounds
Upgrade to Remote Desktop Manager 2024.3.31 or higher
Exposure of sensitive information in cloud data source export feature
6.8 Medium - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Exposure of sensitive information in cloud data source export feature in Devolutions Remote Desktop Manager 2024.3.29 and earlier on Windows allows a user exporting a cloud data source to involuntary include his authenticated session in the export due to faulty business logic.
CVE(s)
CVE-2025-1635
Remediation and Workarounds
Upgrade to Remote Desktop Manager 2024.3.31 or higher
Exposure of password in web-based SSH authentication component
6.8 Medium - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently leak his SSH password due to missing password masking.
CVE(s)
CVE-2025-2277
Remediation and Workarounds
Upgrade to Devolutions Server 2024.3.14 or higher
Improper access control in temporary access requests and checkout requests endpoints
2.3 Low - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Improper access control in temporary access request and checkout request endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.
CVE(s)
CVE-2025-2278
Remediation and Workarounds
Upgrade to Devolutions Server 2024.3.14 or higher
Improper access control in web extension restriction feature
Medium 5.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Improper access control in web extension restriction feature in Devolutions Server 2024.3.4 and earlier allows an authenticated user to bypass the browser extension restriction feature.
CVE(s)
CVE-2025-2280
Remediation and Workarounds
Upgrade to Devolutions Server 2024.3.6 or higher