Devolutions Server, a platform for secure remote connection management, faces serious security risks from multiple flaws disclosed in advisory DEVO-2025-0018 on November 27, 2025.
The most severe issue is a critical SQL injection vulnerability that lets low-privileged users steal or alter sensitive data.
Affecting versions up to 2025.2.20 and 2025.3.8, these bugs expose organizations to data breaches, credential leaks, and unauthorized access. Security firm DCIT a.s., via researcher JaGoTu, discovered the issues.
The core problem stems from poor input validation in key API endpoints. Attackers with basic authenticated access can exploit these to bypass controls and manipulate the backend database.
Critical SQL Injection In Usage Logs
At the heart of the advisory sits CVE-2025-13757, a 9.4-rated critical SQL injection flaw (CVSS v4.0: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
It targets the “DateSortField” parameter in the last-usage-logs endpoint. When users sort log entries by date, the server fails to sanitize this input, allowing classic SQLi payloads like appending ‘ OR 1=1– to extract arbitrary data.
An attacker crafts a malicious request to the logs API, injecting code that dumps database contents think usernames, passwords, connection details, or even admin credentials stored in Devolutions’ PostgreSQL backend.
Beyond exfiltration, the vuln supports modification (VI: H, VA: H) and full compromise of confidentiality, integrity, and availability across scopes (SC:H/SI:H/SA: H).
Network-accessible and low-complexity, it requires only standard user privileges, making lateral movement easy in enterprise setups.
Additional Flaws and Urgent Fixes
Two medium-severity issues compound the risks. CVE-2025-13758 (CVSS 5.1: AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA: N) leaks passwords in initial connection requests for certain entry types.
Typically, sensitive data is fetched separately via “/sensitive-data,” but flawed logic exposes credentials upfront, aiding phishing or reuse attacks.
CVE-2025-13765 (CVSS 4.9: AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:H/SA:N) mishandles email service configs.
Non-admin users retrieve SMTP passwords when multiple services exist, exposing outbound email channels to abuse.
| CVE ID | CVSS v4.0 Score | Description | Impact Scope |
|---|---|---|---|
| CVE-2025-13757 | 9.4 (Critical) | SQLi in DateSortField (usage logs) | High (C/I/A all high) |
| CVE-2025-13758 | 5.1 (Medium) | Passwords in partial connection reqs | Low confidentiality |
| CVE-2025-13765 | 4.9 (Medium) | Email service password exposure | High integrity scope |
Devolutions urges immediate upgrades to 2025.2.21+ or 2025.3.9+. No workarounds exist; turn off usage logs or temporarily restrict API access.
Organizations using Devolutions for RDP, SSH, or VPN management should scan logs for anomalies.
