CVE-2025-4433
📋 TL;DR
This vulnerability allows non-administrative users with both 'User Management' and 'User Group Management' permissions in Devolutions Server to escalate privileges by adding themselves or others to administrative groups. This affects Devolutions Server 2025.1.7.0 and earlier versions where users have been granted these specific permissions.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
An attacker with the required permissions gains full administrative control over the Devolutions Server instance, potentially compromising all managed credentials, connections, and sensitive data.
Likely Case
A malicious insider or compromised account with the specific permissions gains administrative privileges, allowing unauthorized access to sensitive systems and data managed by the server.
If Mitigated
With proper permission segregation and monitoring, the impact is limited to unauthorized group membership changes that can be detected and reversed.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability is straightforward to exploit once the required permissions are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.8.0 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2025-0010/
Restart Required: Yes
Instructions:
1. Download Devolutions Server 2025.1.8.0 or later from the official Devolutions website. 2. Run the installer to upgrade your existing installation. 3. Restart the Devolutions Server service. 4. Verify the version is updated to 2025.1.8.0 or later.
🔧 Temporary Workarounds
Permission Segregation
allRemove either 'User Management' or 'User Group Management' permissions from non-administrative users to prevent privilege escalation.
Administrative Group Protection
allImplement additional access controls or monitoring on administrative groups to detect unauthorized membership changes.
🧯 If You Can't Patch
- Review and audit all user permissions to ensure no non-administrative users have both 'User Management' and 'User Group Management' permissions.
- Implement enhanced monitoring and alerting for group membership changes, particularly for administrative groups.
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version via web interface or configuration files. If version is 2025.1.7.0 or earlier, the system is vulnerable if users have both specified permissions.Check Version:
Check the version in the Devolutions Server web interface under Settings > About, or examine the server configuration files.Verify Fix Applied:
Verify the Devolutions Server version is 2025.1.8.0 or later and test that non-administrative users with both permissions can no longer add users to administrative groups.📡 Detection & Monitoring
Log Indicators:
- Log entries showing non-administrative users adding members to administrative groups
- Unexpected changes to administrative group membership
Network Indicators:
- Unusual API calls to user/group management endpoints from non-administrative accounts
SIEM Query:
source="devolutions_server" AND (event_type="group_membership_change" AND group_name="*admin*" AND user_role!="administrator")