Gino Boudreau

**Name of the Vulnerable Software and Affected Versions** Devolutions Server versions 2025.2.12.0 and earlier **Description** A flaw in the temporary access workflow permits a user with basic authentication to approve their own temporary access requests or those of other users. This can lead to unauthorized access to vaults and entries through specially crafted API requests. **Recommendations** Update Devolutions Server to a version later than 2025.2.12.0.

**Name of the Vulnerable Software and Affected Versions** Devolutions Server versions 2025.2.15.0 and earlier **Description** An improper input validation exists in the Security Dashboard's ignored-tasks API. An authenticated user can send a crafted request to cause a denial of service to the Security Dashboard. The issue is related to the HTTP Web Server component. **Recommendations** Versions prior to 2025.2.15.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** Devolutions Server versions 2025.1.11.0 through 2025.2.3.0 **Description** The use of weak credentials in the emergency authentication component allows an unauthenticated attacker to bypass authentication by brute-forcing the short emergency codes generated by the server. **Recommendations** Devolutions Server versions prior to 2025.2.3.0 should be updated.

**Name of the Vulnerable Software and Affected Versions** Devolutions Server versions 2025.1.11.0 and earlier Devolutions Server versions 2025.2.2.0 through 2025.2.4.0 **Description** Improper access control in the secure message component of Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature. **Recommendations** Update Devolutions Server to a version later than 2025.1.11.0. Update Devolutions Server to a version later than 2025.2.4.0.

**Name of the Vulnerable Software and Affected Versions** Devolutions Server versions 2025.1.7.0 and earlier **Description** The issue is related to improper access control in user group management. A non-administrative user with both `User Management` and `User Group Management` permissions can perform privilege escalation by adding users to groups with administrative privileges. **Recommendations** For Devolutions Server versions 2025.1.7.0 and earlier, restrict access to the `User Group Management` feature for non-administrative users until a fix is available. Consider removing the `User Group Management` permission from non-administrative users to minimize the risk of exploitation.