Devolutions Server – Security Vulnerability Analysis
Product: Devolutions Server
Affected Branch: 2025.3.x
Impact Level: High to Critical
Attack Surface: Network-exposed server components
Two security vulnerabilities were identified in Devolutions Server that affect authorization controls and database query handling. When left unpatched, these issues could allow unauthorized access and full compromise of backend data. Both issues are addressed by a vendor-supplied update and should be treated as a priority.
Vulnerability Summary Table
| CVE ID | Vulnerability Type | CVSS Score | Severity | Exploitability | Exploit Availability |
|---|---|---|---|---|---|
| CVE-2026-0610 | SQL Injection | 9.8 | Critical | Network-based, unauthenticated | No public exploit (education-level research possible) |
| CVE-2026-1007 | Authorization Bypass | 7.6 | High | Network-based, requires specific conditions | No public exploit |
CVE-2026-0610 – SQL Injection in Remote Sessions Component
Vulnerability Description
A SQL injection vulnerability was identified in the remote sessions component of Devolutions Server. User-controlled input was found to be improperly handled before being incorporated into database queries. Because parameterized queries were not consistently enforced, database commands could be altered by crafted input.
This flaw allows database logic to be manipulated remotely. Under worst-case conditions, full read and write access to the backend database could be achieved, leading to credential exposure, session manipulation, and permanent data corruption.
Affected Versions
- Devolutions Server 2025.3.1 through 2025.3.12
Potential Impact
- Unauthorized access to sensitive records
- Exposure of stored credentials and session metadata
- Modification or deletion of database tables
- Full compromise of application integrity
How Exploitation Could Occur
Exploitation could be performed by sending specially crafted requests to the remote sessions API endpoints. When malicious input is embedded within parameters expected to be trusted, database queries may execute unintended SQL logic. Because authentication is not required at the vulnerable stage, externally exposed servers are at the highest risk.
No step-by-step exploitation details are provided here. The information is intended strictly for defensive awareness and detection.
Proof of Concept Status
- No public proof-of-concept code has been released.
- Exploitation patterns are well-understood due to the vulnerability class.
- Attack simulation is possible in controlled environments for defensive testing only.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1046 – Network Service Discovery
- T1565 – Data Manipulation
- T1005 – Data from Local System
Detection Strategy
Recommended Log Sources
- Web application access logs
- API request logs
- Database query and error logs
- Web Application Firewall (WAF) logs
- Reverse proxy logs
Behavioral Indicators
- Repeated requests containing SQL keywords in parameters
- Unusual database error messages following API calls
- Unexpected increases in query execution time
- Large or abnormal data responses from session endpoints
Splunk Detection Rules – SQL Injection
Rule 1: SQL Injection Attempt – Remote Sessions
index=web_logs
uri_path="/api/remote-sessions"
| search uri_query="*select*" OR uri_query="*union*" OR uri_query="*--*" OR uri_query="*/*" OR uri_query="* or *='*"
| stats count by src_ip, uri_path, uri_query
| where count > 3
Rule 2: Application Error Spike After Suspicious Requests
index=app_logs
| search message="*SQL*" OR message="*syntax error*" OR message="*database error*"
| stats count by src_ip, host
| where count > 5
CVE-2026-1007 – Authorization Bypass in Virtual Gateway
Vulnerability Description
An authorization logic flaw was identified in the virtual gateway component of Devolutions Server. Under specific linked-host configurations, deny-by-IP rules were not enforced correctly. As a result, traffic originating from blocked addresses could be incorrectly processed as trusted.
This condition allows restricted endpoints to be accessed despite explicit deny policies.
Affected Versions
- Devolutions Server 2025.3.1 through 2025.3.12
Potential Impact
- Bypass of IP-based access controls
- Unauthorized access to gateway-protected services
- Increased risk of lateral movement within internal environments
How Exploitation Could Occur (High-Level)
Exploitation could occur when crafted requests leverage linked-host routing behavior. If the gateway relies on forwarded headers or host linkage without strict validation, IP restrictions may be bypassed. This typically occurs in environments where reverse proxies or load balancers are involved.
This vulnerability does not grant direct privilege escalation but weakens perimeter controls.
Proof of Concept Status
- No public exploit code has been released.
- Exploitation remains theoretical but technically feasible under misconfigured gateway conditions.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1078 – Valid Accounts
- T1021 – Remote Services
Detection Strategy
Recommended Log Sources
- Reverse proxy and gateway logs
- HTTP header logs (X-Forwarded-For, Host)
- Application authorization audit logs
- Firewall connection logs
Behavioral Indicators
- External IPs presenting internal IP headers
- Access to blocked endpoints without policy violations
- Authorization success where denial was expected
Splunk Detection Rules – Authorization Bypass
Rule 1: IP Header Mismatch
index=web_logs
| eval header_ip=coalesce(x_forwarded_for, forwarded_for)
| where header_ip!=client_ip
| stats count by client_ip, header_ip, uri_path
| where count > 3
Rule 2: Deny Rule Bypass Detection
index=auth_logs
| search action="allowed"
| search src_ip IN (blocked_ip_list)
| stats count by src_ip, user, uri
Mitigation & Remediation
Immediate Actions
- External exposure of Devolutions Server should be restricted until patched.
- Reverse proxy headers must be sanitized and trusted only from known sources.
- IP allow-lists should be enforced at multiple layers (firewall + application).
Official Patch / Upgrade
Upgrade to the fixed version provided by Devolutions:
Official upgrade link:
https://devolutions.net/security/advisories
All affected systems should be upgraded to version 2025.3.14 or later.
Final Takeaway
- No exploitation details are intended for misuse.
- Detection rules are provided strictly for monitoring and defensive testing.
- Systems exposed to the internet should be treated as potentially compromised if patching was delayed.
