CVE-2025-4493
📋 TL;DR
This vulnerability allows a PAM (Privileged Access Management) user in Devolutions Server to perform JIT (Just-In-Time) privilege requests on groups they shouldn't have access to. It's caused by an improper privilege assignment issue in the user interface. Organizations running affected versions of Devolutions Server are at risk.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
An authenticated PAM user could elevate privileges to access sensitive systems or data they shouldn't have authorization for, potentially leading to lateral movement or data exfiltration.
Likely Case
A malicious insider or compromised PAM account could gain unauthorized access to additional privileged groups, bypassing intended access controls.
If Mitigated
With proper network segmentation, monitoring, and least privilege principles, the impact would be limited to the specific PAM environment rather than critical production systems.
🎯 Exploit Status
Exploitation requires authenticated access to the PAM interface. The vulnerability appears to be a UI logic flaw rather than a technical bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Devolutions Server 2025.1.8.0 and later, 2024.3.16.0 and later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2025-0008/
Restart Required: Yes
Instructions:
1. Download the patched version from Devolutions website. 2. Backup your current installation. 3. Run the installer to upgrade. 4. Restart the Devolutions Server service.
🔧 Temporary Workarounds
Disable PAM JIT functionality
allTemporarily disable Just-In-Time privilege requests in PAM settings
Restrict PAM user permissions
allReview and reduce PAM user permissions to minimum required
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the PAM environment
- Enable detailed auditing of all PAM JIT requests and review logs daily
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in web interface or installation directory. Versions 2025.1.3.0-2025.1.7.0 or ≤2024.3.15.0 are vulnerable.Check Version:
Check web interface → About, or examine version.txt in installation directoryVerify Fix Applied:
Verify version is 2025.1.8.0+ or 2024.3.16.0+. Test PAM JIT functionality with a test user to ensure proper group restrictions.📡 Detection & Monitoring
Log Indicators:
- Unusual PAM JIT requests from users
- JIT requests for groups outside user's normal scope
- Multiple failed JIT requests followed by success
Network Indicators:
- Increased PAM API calls from single user
- Unusual timing of privilege requests
SIEM Query:
source="devolutions-server" AND (event_type="pam_jit_request" AND result="success") | stats count by user, target_group