CVE-2025-11619
📋 TL;DR
CVE-2025-11619 is an improper certificate validation vulnerability in Devolutions Server that allows man-in-the-middle attackers to intercept encrypted traffic between clients and gateways. This affects all Devolutions Server deployments version 2025.3.2 and earlier where gateways are used for remote connections.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
Attackers can decrypt all sensitive data transmitted between clients and gateways, including credentials, session tokens, and confidential information, leading to complete compromise of managed systems.
Likely Case
Attackers intercept and decrypt administrative sessions, gaining unauthorized access to managed systems and potentially pivoting to other network resources.
If Mitigated
With proper network segmentation and certificate pinning, impact is limited to specific gateway connections rather than full infrastructure compromise.
🎯 Exploit Status
Exploitation requires network positioning between client and gateway, but no authentication or special privileges needed once positioned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.3.3 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2025-0014/
Restart Required: Yes
Instructions:
1. Download Devolutions Server 2025.3.3 or later from official portal. 2. Backup current configuration and database. 3. Run installer to upgrade. 4. Restart Devolutions Server service. 5. Verify all gateways reconnect properly.
🔧 Temporary Workarounds
Disable vulnerable gateways
allTemporarily disable gateways and use direct connections where possible
# In Devolutions Server admin console, navigate to Gateways section and disable affected gateways
Implement certificate pinning
allConfigure clients to pin specific gateway certificates
# Modify client configuration to include specific certificate thumbprints for each gateway
🧯 If You Can't Patch
- Isolate gateway traffic to dedicated VLANs with strict access controls
- Implement network monitoring for SSL/TLS interception attempts between clients and gateways
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in admin console under Help > About. If version is 2025.3.2 or earlier and gateways are configured, system is vulnerable.Check Version:
# Windows: Check Devolutions Server service properties or admin console
# Linux: Check /opt/devolutions/server/version.txt or admin consoleVerify Fix Applied:
After patching, verify version shows 2025.3.3 or later and test gateway connections validate certificates properly.📡 Detection & Monitoring
Log Indicators:
- Failed certificate validation events in gateway logs
- Unexpected certificate changes in SSL/TLS handshakes
Network Indicators:
- SSL/TLS interception attempts between known client and gateway IPs
- Unexpected certificate authorities in gateway connections
SIEM Query:
source="devolutions-server" (event_type="certificate_validation_failed" OR event_type="ssl_handshake_error") AND destination_port=443