Devolutions Server, a platform for secure remote connection management, faces serious security risks from multiple flaws disclosed in advisory DEVO-2025-0018 on November 27, 2025.
The most severe issue is a critical SQL injection vulnerability that lets low-privileged users steal or alter sensitive data.
Affecting versions up to 2025.2.20 and 2025.3.8, these bugs expose organizations to data breaches, credential leaks, and unauthorized access. Security firm DCIT a.s., via researcher JaGoTu, discovered the issues.
The core problem stems from poor input validation in key API endpoints. Attackers with basic authenticated access can exploit these to bypass controls and manipulate the backend database.
At the heart of the advisory sits CVE-2025-13757, a 9.4-rated critical SQL injection flaw (CVSS v4.0: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
It targets the “DateSortField” parameter in the last-usage-logs endpoint. When users sort log entries by date, the server fails to sanitize this input, allowing classic SQLi payloads like appending ‘ OR 1=1– to extract arbitrary data.
An attacker crafts a malicious request to the logs API, injecting code that dumps database contents think usernames, passwords, connection details, or even admin credentials stored in Devolutions’ PostgreSQL backend.
Beyond exfiltration, the vuln supports modification (VI: H, VA: H) and full compromise of confidentiality, integrity, and availability across scopes (SC:H/SI:H/SA: H).
Network-accessible and low-complexity, it requires only standard user privileges, making lateral movement easy in enterprise setups.
Two medium-severity issues compound the risks. CVE-2025-13758 (CVSS 5.1: AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA: N) leaks passwords in initial connection requests for certain entry types.
Typically, sensitive data is fetched separately via “/sensitive-data,” but flawed logic exposes credentials upfront, aiding phishing or reuse attacks.
CVE-2025-13765 (CVSS 4.9: AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:H/SA:N) mishandles email service configs.
Non-admin users retrieve SMTP passwords when multiple services exist, exposing outbound email channels to abuse.
| CVE ID | CVSS v4.0 Score | Description | Impact Scope |
|---|---|---|---|
| CVE-2025-13757 | 9.4 (Critical) | SQLi in DateSortField (usage logs) | High (C/I/A all high) |
| CVE-2025-13758 | 5.1 (Medium) | Passwords in partial connection reqs | Low confidentiality |
| CVE-2025-13765 | 4.9 (Medium) | Email service password exposure | High integrity scope |
Devolutions urges immediate upgrades to 2025.2.21+ or 2025.3.9+. No workarounds exist; turn off usage logs or temporarily restrict API access.
Organizations using Devolutions for RDP, SSH, or VPN management should scan logs for anomalies.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…