CVE-2025-8312
📋 TL;DR
A deadlock in the PAM automatic check-in feature of Devolutions Server allows passwords to remain valid beyond their intended check-out period. This affects organizations using Devolutions Server for privileged access management, potentially allowing continued access to sensitive systems after credentials should have expired.
💻 Affected Systems
- Devolutions Server
📦 What is this software?
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
Privileged credentials remain active indefinitely, allowing unauthorized access to critical systems, data exfiltration, or lateral movement within the network.
Likely Case
Temporary extension of credential validity beyond policy-defined limits, increasing the window for credential misuse if already compromised.
If Mitigated
Limited impact with proper monitoring and credential rotation practices, though still violates security policies.
🎯 Exploit Status
Exploitation requires triggering the deadlock condition in the scheduling service, which may occur under specific timing or load conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2.6.0 and later, 2025.1.13.0 and later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2025-0013/
Restart Required: Yes
Instructions:
1. Download the patched version from Devolutions website. 2. Backup current configuration and database. 3. Run the installer to upgrade. 4. Restart the Devolutions Server service.
🔧 Temporary Workarounds
Disable PAM Automatic Check-in
allTemporarily disable the affected feature to prevent deadlock conditions
Navigate to PAM settings in Devolutions Server console and disable automatic check-in
Manual Credential Rotation
allImplement manual credential rotation to ensure passwords expire as intended
Manually check-in/check-out credentials through Devolutions Server interface
🧯 If You Can't Patch
- Implement strict monitoring of credential usage and expiration alerts
- Enforce additional authentication factors for privileged access
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in administration console or via 'About' sectionCheck Version:
Check version in Devolutions Server administration interface or installation directoryVerify Fix Applied:
Verify version is 2025.2.6.0+ or 2025.1.13.0+ and test PAM check-in/check-out functionality📡 Detection & Monitoring
Log Indicators:
- Scheduling service deadlock errors
- PAM check-in failures
- Credential expiration warnings
Network Indicators:
- Unusual credential usage patterns
- Access attempts with expired credentials
SIEM Query:
source="devolutions_server" AND (event_type="deadlock" OR message="check-in failure")