Security & Compliance

DEVO-2025-0011

Summary

Devolutions Server is affected by multiple vulnerabilities.

Affected Products

See vulnerabilities for affected products.

Change Log

4/06/2025 - Initial publication

Severity

Medium

Product

Devolutions Server

Fix Version

See vulnerabilities for fixed versions

Improper access control in users MFA feature

Description

Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.

Remediation and Workarounds

Upgrade to Devolutions Server 2025.1.9.0 or higher

Severity

Medium 6.9 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Affected Products

Devolutions Server 2025.1.7.0 and earlier

CVE(s)

CVE-2025-5382

Improper access control in Tor network blocking feature

Description

Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.

Remediation and Workarounds

Upgrade to Devolutions Server 2025.2.2.0 or higher

Severity

2.3 Low - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Products

Devolutions Server 2025.1.10.0 and earlier

CVE(s)

CVE-2025-3768

Improper access control in permissions component

Description

Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.

Remediation and Workarounds

Upgrade to Devolutions Server 2025.2.2.0 or higher

Severity

Medium 5.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products

Devolutions Server 2025.1.10.0 and earlier

CVE(s)

CVE-2025-0691