CVE-2025-12808
📋 TL;DR
An improper access control vulnerability in Devolutions Server allows users with 'View-only' permissions to access sensitive nested password fields they shouldn't have access to, potentially exposing password lists and custom values. This affects Devolutions Server versions 2025.3.2.0 through 2025.3.5.0 and 2025.2.15.0 and earlier. Attackers with view-only access can escalate privileges to read sensitive password data.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all stored passwords and sensitive credentials managed by Devolutions Server, leading to lateral movement across the entire infrastructure.
Likely Case
Unauthorized disclosure of password lists and custom values to users who should only have read-only access, potentially exposing credentials for critical systems.
If Mitigated
Limited exposure of some sensitive fields, but overall credential management system remains secure with proper access controls.
🎯 Exploit Status
Exploitation requires authenticated access with view-only permissions. Attackers would need to understand the Devolutions interface to navigate to sensitive nested fields.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Devolutions Server 2025.3.5.1 or later, or upgrade to a version beyond the affected ranges
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2025-0016
Restart Required: Yes
Instructions:
1. Backup your Devolutions Server configuration and data. 2. Download the patched version from Devolutions official website. 3. Run the installer to upgrade to version 2025.3.5.1 or later. 4. Restart the Devolutions Server service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict View-Only User Access
allTemporarily remove or restrict view-only user permissions until patching can be completed.
Navigate to Devolutions Server Admin Console > Users > Edit User Permissions > Remove view-only access to sensitive entries
Audit and Monitor View-Only User Activity
allImplement enhanced logging and monitoring for view-only user access to sensitive password fields.
Enable detailed audit logging in Devolutions Server settings
Configure alerts for unusual access patterns to password lists
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Devolutions Server from critical systems
- Conduct immediate user access review and remove unnecessary view-only permissions
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in Admin Console > About, or run: Get-ItemProperty -Path 'HKLM:\SOFTWARE\Devolutions\Devolutions Server' -Name VersionCheck Version:
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Devolutions\Devolutions Server' -Name Version (Windows) or check /opt/devolutions/devolutions-server/version.txt (Linux)Verify Fix Applied:
Verify version is 2025.3.5.1 or later, and test that view-only users cannot access password list custom values in nested fields.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns by view-only users to password-related endpoints
- Multiple failed attempts followed by successful access to nested password fields
Network Indicators:
- Increased API calls to password retrieval endpoints from view-only user accounts
SIEM Query:
source="devolutions-server" AND (event_type="password_access" OR endpoint="*/password*") AND user_role="view-only"