CVE-2026-0610
📋 TL;DR
A SQL injection vulnerability in Devolutions Server's remote-sessions component allows attackers to execute arbitrary SQL commands. This affects Devolutions Server versions 2025.3.1 through 2025.3.12, potentially compromising database integrity and confidentiality.
💻 Affected Systems
- Devolutions Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, or remote code execution on the database server.
Likely Case
Unauthorized data access, privilege escalation, or session hijacking within the Devolutions Server application.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity. Requires access to remote-sessions functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.3.13 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2026-0003/
Restart Required: Yes
Instructions:
1. Backup your Devolutions Server configuration and database. 2. Download and install Devolutions Server version 2025.3.13 or later from the official Devolutions website. 3. Follow the upgrade instructions provided by Devolutions. 4. Restart the Devolutions Server service.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement strict input validation and parameterized queries for remote-sessions endpoints
Not applicable - requires code changes
Network Segmentation
allRestrict access to Devolutions Server to only trusted networks and users
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="PORT" accept'
netsh advfirewall firewall add rule name="Devolutions Access" dir=in action=allow protocol=TCP localport=PORT remoteip=TRUSTED_IP
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with SQL injection protection rules
- Disable or restrict access to remote-sessions functionality if not required
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in administration console or via 'About' section. If version is between 2025.3.1 and 2025.3.12 inclusive, system is vulnerable.Check Version:
Check Devolutions Server web interface → Administration → About, or examine installation directory version filesVerify Fix Applied:
Verify installation of version 2025.3.13 or later. Test remote-sessions functionality to ensure it works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts via remote-sessions
- Unexpected database schema changes
Network Indicators:
- SQL keywords in HTTP requests to remote-sessions endpoints
- Unusual traffic patterns to Devolutions Server database port
SIEM Query:
source="devolutions.log" AND ("sql" OR "injection" OR "union select" OR "sleep(")