Detections
Analytics

Devolutions Server <= 2025.3.15.0 Multiple Vulnerabilities (DEVO-2026-0005)

critical Nessus Plugin ID 301675

Synopsis

The Devolutions Server instance installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Devolutions Server installed on the remote host is 2025.3.15.0 or earlier. It is, therefore, affected by multiple vulnerabilities:

 - Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT). (CVE-2026-3224)

 - Improper enforcement of behavioral controls in PAM multi-account deletion in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion. This can bypass intended protections and may interfere with Just-in-Time (JIT) privilege revocation, potentially resulting in persistent elevated privileges. (CVE-2026-3130)

 - Improper input validation in the error message page in Devolutions Server 2025.3.15 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL. (CVE-2026-3204)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Devolutions Server version 2025.3.16 or later.

See Also

https://devolutions.net/security/advisories/DEVO-2026-0005/

Plugin Details

Severity: Critical

ID: 301675

File Name: devolutions_server_DEVO-2026-0005.nasl

Version: 1.1

Type: local

Agent: windows

Family: Windows

Published: 3/10/2026

Updated: 3/10/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-3224

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4

Risk Factor: Critical

Base Score: 9.5

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

CPE: x-cpe:/a:devolutions:server

Required KB Items: installed_sw/Devolutions Server

Patch Publication Date: 3/3/2026

Vulnerability Publication Date: 3/3/2026

Reference Information

CVE: CVE-2026-3130, CVE-2026-3204, CVE-2026-3224