Security & Compliance
DEVO-2025-0011
Summary
Devolutions Server is affected by multiple vulnerabilities.
Affected Products
See vulnerabilities for affected products.
Change Log
4/06/2025 - Initial publication
Severity
Medium
Product
Devolutions Server
Fix Version
See vulnerabilities for fixed versions
Improper access control in users MFA feature
Description
Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.
Remediation and Workarounds
Upgrade to Devolutions Server 2025.1.9.0 or higher
Severity
Medium 6.9 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Affected Products
Devolutions Server 2025.1.7.0 and earlier
CVE(s)
CVE-2025-5382
Improper access control in Tor network blocking feature
Description
Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.
Remediation and Workarounds
Upgrade to Devolutions Server 2025.2.2.0 or higher
Severity
2.3 Low - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected Products
Devolutions Server 2025.1.10.0 and earlier
CVE(s)
CVE-2025-3768
Improper access control in permissions component
Description
Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.
Remediation and Workarounds
Upgrade to Devolutions Server 2025.2.2.0 or higher
Severity
Medium 5.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected Products
Devolutions Server 2025.1.10.0 and earlier
CVE(s)
CVE-2025-0691