PT-2025-23931 · Devolutions · Devolutions Server
Published
2025-06-05
·
Updated
2025-06-05
·
CVE-2025-5382
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Devolutions Server versions 2025.1.7.0 and earlier
Description
The issue is related to inadequate access control in the Multi-Factor Authentication (MFA) feature for users in Devolutions Server. This allows a user with user management permission to remove or change the MFA settings of administrators.
Recommendations
For Devolutions Server versions 2025.1.7.0 and earlier, restrict access to the user management permission to prevent unauthorized changes to MFA settings.
As a temporary workaround, consider closely monitoring and limiting administrative access to minimize the risk of MFA changes until a fix is available.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Devolutions Server