A batch of new vulnerabilities in Devolutions Server targets organizations that depend on the platform to manage privileged accounts, passwords, and sensitive authentication data.
Devolutions has released a security advisory, identified as DEVO-2025-0018, warning customers of multiple vulnerabilities, including a critical flaw that could enable attackers to extract confidential data directly from the system’s database.
The advisory notes several versions of the Devolutions Server, specifically 2025.2.20 and earlier, and 2025.3.8 and earlier, are affected.
Critical SQL Injection Vulnerability Enables Data Exfiltration
The most severe issue, scored 9.4 (Critical) under the CVSS 4.0 rating system, involves an SQL injection weakness in the platform’s “last usage logs.” The flaw occurs when the system attempts to sort usage history through a parameter known as DateSortField. Because the software does not sufficiently validate user-supplied input in this field, an authenticated user can inject malicious SQL commands directly into the database.
This vulnerability, tracked as CVE-2025-13757, allows a logged-in attacker to exfiltrate or modify sensitive information, posing a significant threat to environments where Devolutions Server stores high-value credentials, access keys, and privileged account data. The flaw can reveal information that should remain inaccessible, making it one of the most dangerous issues ever reported for the platform.
Credit for discovering the vulnerability was attributed to JaGoTu of DCIT a.s.
Two Medium-Severity Vulnerabilities Also Discovered
Alongside CVE-2025-13757, the same research group identified two additional security weaknesses, CVE-2025-13758 and CVE-2025-13765, both classified as medium severity, though still impactful in environments requiring strict confidentiality.
CVE-2025-13758: Credentials Leaked in Partial Entry Requests
One issue involves certain entry types improperly including passwords in the initial request for general item information. Normally, credentials such as passwords are delivered only through a protected /sensitive-data request when a user intentionally accesses them.
However, some entries exposed credential data prematurely, increasing the risk of unauthorized disclosure. This vulnerability carries a 5.1 CVSS score and also affects the same product versions listed in the advisory.
CVE-2025-13765: Improper Access Control in Email Service Configuration
The second Medium-risk flaw, rated 4.9 CVSS, involves improper access controls within the platform’s email service configuration API. When multiple email services were set up, users lacking administrative privileges could still retrieve email service passwords, undermining the system’s access control model.
Both issues were likewise credited to JaGoTu, DCIT a.s.
Required Updates and Remediation
Devolutions recommends immediate installation of the patched releases to remediate all three vulnerabilities. The advisory instructs customers to upgrade Devolutions Server to:
- Version 2025.2.21 or higher
- Version 2025.3.9 or higher
Applying these updates is essential to block SQL injection attempts, prevent unauthorized credential exposure, and restore proper access control protections. Without these patches, organizations remain susceptible to data exfiltration, unauthorized password retrieval, and improper user privilege escalation.
The identification of CVE-2025-13757, CVE-2025-13758, and CVE-2025-13765 confirms the need for immediate patching across all affected Devolutions Server deployments. Because these flaws expose sensitive credentials and privileged access pathways, unpatched systems face measurable confidentiality and operational risks.
Organizations should apply the recommended updates without delay and strengthen their ongoing vulnerability oversight. Platforms such as Cyble, which provide real-time vulnerability intelligence and clearer prioritization of high-impact risks, can support security teams in identifying issues like these earlier and reducing exposure across their environments.
See your vulnerabilities before attackers do. Book a personalized demo with Cyble today and gain real-time visibility into critical risks, zero-days, and high-impact threats across your enterprise.