Devolutions has disclosed a pair of serious security flaws in its Server product, potentially exposing organizations to account impersonation and sensitive data leaks.
Published on November 6, 2025, under advisory DEVO-2025-0016, these issues affect versions 2025.3.5 and earlier.
The most critical vulnerability, rated 9.4 on the CVSS 4.0 scale, involves mishandled pre-MFA authentication (MFA) cookies that could allow attackers to impersonate users.
A secondary high-severity flaw enables unauthorized access to nested sensitive fields.
Both stem from improper privilege and access controls, underscoring the need for prompt patching in privileged access management (PAM) environments.
Devolutions Server, a popular tool for secure remote access and credential management, serves enterprises handling high-stakes IT operations.
These bugs highlight ongoing challenges in authentication flows and granular permissions, especially as hybrid work amplifies remote access risks.
While no active exploitation has been reported, the ease of attack vectors makes immediate upgrades essential.
Pre-MFA Cookie Flaw Enables User Impersonation (CVE-2025-12485)
The standout issue, CVE-2025-12485, stems from a flaw in Devolutions Server’s pre-MFA cookie handling that leads to improper privilege management.
An attacker with low-privileged access such as a standard authenticated user can replay a victim’s pre-MFA cookie to impersonate them during login sessions.
This exploit leverages a cookie issued before MFA prompts, enabling session hijacking without requiring the target’s credentials or MFA codes.
In practice, a malicious insider or compromised low-level account could capture the cookie via network interception or session theft, then replay it to access the impersonated user’s dashboard.
Crucially, this doesn’t entirely bypass MFA for the target account; the attacker must still pass any post-cookie verification if enabled.
However, it grants temporary elevated access to resources tied to the victim’s role, potentially leading to data exfiltration or lateral movement.
With a CVSS score of 9.4 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA: H), the vulnerability requires low effort for high impact.
Attackers need only network access and basic authentication, making PAM systems a prime target for APTs or ransomware groups.
Devolutions notes that this affects core authentication modules and urges admins to audit session logs for anomalies, such as unexpected privilege escalations.
Access Control Bypass Exposes Nested Sensitive Data (CVE-2025-12808)
Complementing the impersonation risk, CVE-2025-12808 involves improper access controls on third-level nested fields within Devolutions Server.
View-only users, intended for read-only oversight, can unexpectedly access sensitive data, such as custom password list values.
This stems from lax enforcement on deeply nested entries, allowing unauthorized enumeration of credentials and configurations.
For instance, a user with view permissions on a parent entry might query subfields containing plaintext passwords or API keys, bypassing intended restrictions.
The CVSS 4.0 rating of 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA: N) reflects confidentiality impacts without integrity or availability disruption, but in PAM contexts, leaked passwords could cascade into broader breaches.
This flaw exacerbates the first vulnerability by providing attackers with reconnaissance tools post-impersonation.
Organizations using Devolutions for vaulting secrets in cloud or on-prem setups face heightened exposure, especially if role-based access controls (RBAC) aren’t tightly tuned.
Both vulnerabilities are fixed in Devolutions Server 2025.3.6.0 or later (for the 2025.3 branch) and 2025.2.17.0 or higher (for the 2025.2 branch).
Devolutions recommends immediate upgrades, turning off pre-MFA cookies as a workaround, and reviewing user permissions.
For reporting issues, visit their Trust Center. As PAM tools evolve, these incidents remind admins to layer defenses beyond MFA, including zero-trust verification and regular audits.
