devolutions server · threatengine.sh

Home/Product/devolutions server

Product

devolutions server

81 known vulnerabilities across versions

Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.

Sort Min CVSS Published since

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read docume

>= 2026.1.6.0 and < 2026.1.12.0

Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated atta

>= 2025.3.1.0 and < 2025.3.18.0

Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to

>= 2026.1.6.0 and < 2026.1.12.0

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to o

>= 2026.1.6.0 and < 2026.1.12.0

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforc

Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remo

Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authentica

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with

Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle

Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileg

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allow

Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof

Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the

Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an

Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticate

A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entrie

>= 2025.3.1.0 and < 2025.3.14.0

Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.

>= 2025.3.1.0 and < 2025.3.14.0

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3

Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolut

Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions

Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.

SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, thr

Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password

Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to i

An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an a

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basi

Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM p

UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier

Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended

Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entri

Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass a

Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permi

Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user

Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to byp

Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user wit

Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on u

Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallow

Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elev

Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticate

Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier a

Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadve

Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add

Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the orac

Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to v

Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain

Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated us

Improper access control in the Password History feature in Devolutions DVLS 2024.3.6 and earlier allows a malicious authenticated

Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticate

Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authent

Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user

Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manager 2024.1.20 and earlier on win

Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.6 and earlier allows an attacker with access t

Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with a

Improper access control in PAM JIT elevation in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM

Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated u

Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an a

Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to

Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user t

Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the

Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve l

Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compro

Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to

Improper deletion of resource in the user management feature in Devolutions Server 2023.1.8 and earlier allows an administrator t

Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with admin

Insufficient access control in support ticket feature in Devolutions Server 2023.1.5.0 and below allows an authenticated attack

Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allo

Improper access control in the secure messages feature in Devolutions Server 2022.3.12 and below allows an authenticated attacker

Insufficient input sanitization in the documentation feature of Devolutions Server 2022.3.12 and earlier allows an authenticated a

Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sens

Improper access controls on some API endpoints in Devolutions Server 2022.3.12 and earlier could allow a standard privileged user

>= 2022.3.1.0 and < 2022.3.10.0

Improper access control in Devolutions Server allows an authenticated user to access unauthorized sensitive data.

Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Des

Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inherit the p

HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the

Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle

An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative us

An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote a

An issue was discovered in Devolutions Server before 2020.3. There is a cross-site scripting (XSS) vulnerability in entries of typ

An issue was discovered in Devolutions Server before 2020.3. There is an exposure of sensitive information in diagnostic files.

An issue was discovered in Devolutions Server before 2020.3. There is Broken Authentication with Windows domain users.

An issue was discovered in Devolutions Server before 2020.3. There is broken access control on Password List entry elements.

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin