CVE-2025-13765
📋 TL;DR
CVE-2025-13765 allows non-administrative users in Devolutions Server to access email service credentials, potentially exposing sensitive authentication information. This affects Devolutions Server installations running versions before 2025.2.21 or 2025.3.9.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain email service credentials, potentially enabling email spoofing, phishing campaigns, or unauthorized access to email accounts and related systems.
Likely Case
Internal users without proper authorization could access email service credentials, potentially leading to information disclosure and limited email system misuse.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires authenticated access as a non-admin user to access exposed credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2.21 or 2025.3.9
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2025-0018/
Restart Required: Yes
Instructions:
1. Backup your Devolutions Server configuration and data. 2. Download the patched version (2025.2.21 or 2025.3.9) from Devolutions website. 3. Run the installer/upgrade package. 4. Restart the Devolutions Server service. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict User Access
allLimit non-administrative user access to Devolutions Server interface until patching can be completed.
Monitor Access Logs
allIncrease monitoring of user access to credential-related sections of Devolutions Server.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access Devolutions Server interface
- Monitor and audit all user access to email service configuration sections
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in administration panel or via version file in installation directory.Check Version:
Check web interface at /Admin/About or examine version.txt in installation directoryVerify Fix Applied:
Verify version shows 2025.2.21 or higher, or 2025.3.9 or higher in administration panel.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to email configuration sections by non-admin users
- Multiple failed access attempts to credential storage areas
Network Indicators:
- Unusual outbound SMTP traffic from non-email servers
- Authentication attempts to email services from unexpected sources
SIEM Query:
source="devolutions-server" AND (event_type="credential_access" OR user_role!="admin" AND resource="email_config")