CVE-2025-2278
📋 TL;DR
This vulnerability allows authenticated users in Devolutions Server to access temporary access and checkout request information by guessing or knowing request IDs. It affects all Devolutions Server deployments running version 2024.3.13 or earlier.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could enumerate and access all temporary access and checkout requests, potentially exposing sensitive credential information, access patterns, and privileged account details.
Likely Case
Authenticated users with normal privileges can access request information they shouldn't have permission to view, leading to information disclosure about other users' access patterns and potentially sensitive system information.
If Mitigated
With proper access controls and monitoring, the impact is limited to unauthorized viewing of request metadata rather than credential exposure.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of request IDs, which could be guessed or enumerated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.14 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2025-0004/
Restart Required: Yes
Instructions:
1. Download Devolutions Server 2024.3.14 or later from the Devolutions website
2. Backup your current installation and database
3. Run the installer to upgrade
4. Restart the Devolutions Server service
🔧 Temporary Workarounds
Restrict Access to API Endpoints
allUse network segmentation or firewall rules to restrict access to the vulnerable endpoints to only authorized administrative systems.
Enhanced Monitoring
allImplement detailed logging and monitoring of access to temporary access and checkout request endpoints to detect suspicious activity.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for authenticated users
- Consider temporarily disabling temporary access and checkout request features if not critical
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in web interface or via PowerShell: Get-ItemProperty 'HKLM:\SOFTWARE\Devolutions\Server' -Name VersionCheck Version:
On Windows: Get-ItemProperty 'HKLM:\SOFTWARE\Devolutions\Server' -Name Version; On Linux: Check /opt/devolutions/server/version.txtVerify Fix Applied:
Verify version is 2024.3.14 or later and test that authenticated users cannot access request information without proper authorization📡 Detection & Monitoring
Log Indicators:
- Multiple failed attempts to access request endpoints with different IDs
- Unauthorized access patterns to /api/temporaryaccess or /api/checkout endpoints
Network Indicators:
- Unusual API call patterns to request endpoints from non-administrative users
SIEM Query:
source="devolutions-server" AND (uri_path="/api/temporaryaccess/*" OR uri_path="/api/checkout/*") AND user_role!="admin"