Security & Compliance

DEVO-2025-0008

Summary

Devolutions Server is affected by a vulnerability.

Affected Products

Devolutions Server 2025.1.3.0 through 2025.1.7.0

Devolutions Server 2024.3.15.0 and earlier

Change Log

28/05/2025 - Initial publication

Severity

High

Product

Devolutions Server

Fix Version

See vulnerabilities for fixed versions

Improper privilege assignment in PAM JIT privilege sets

Description

Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized groups by exploiting a user interface issue.

If you are not using PAM, you are not affected.

Remediation and Workarounds

How to know if you are affected?

This vulnerability affects the JIT Privilege Sets of the PAM module. If you are not using PAM, you are not affected.

If JIT Privilege Sets are not enabled on your PAM providers, or if no privilege sets are configured on your providers, you are not affected. This information can be found in your PAM provider configuration under the "JIT privilege elevation" section.

If you are using JIT Privilege Sets, you might be affected, and we recommend following the instructions in the next section.

What actions are necessary if you are affected?

Review the "Assigned provider privileges" of your privilege sets. If all available groups are selected, you are affected by the security issue—unless this configuration was intentional. Review each group and assign only the groups that this set should have access to.

To simplify this review, starting with Devolutions Server Console 2025.1.10, a security notice will appear in the update server instance summary. This notice will inform you if your instance is potentially affected by this issue. It will list the potentially affected providers and privilege sets.

Severity

8.4 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Affected Products

Devolutions Server 2025.1.3.0 through 2025.1.7.0 Devolutions Server 2024.3.15.0 and earlier

CVE(s)

CVE-2025-4493