Devolutions Server has been found vulnerable to a critical security flaw that allows low-privileged authenticated users to impersonate other accounts by replaying pre-MFA cookies.
The vulnerability, identified as CVE-2025-12485, carries a critical CVSS score of 9.4 and affects all versions up to 2025.3.5.
The company has released patches to address this and a second vulnerability affecting the platform.
| CVE ID | Severity | CVSS Score | Vulnerability |
|---|---|---|---|
| CVE-2025-12485 | Critical | 9.4 | Improper privilege management during pre-MFA cookie handling – allows authenticated users to impersonate other accounts via cookie replay |
The flaw exists in how Devolutions Server handles pre-MFA cookies during the authentication process.
An attacker with low-level access can intercept and replay a pre-MFA cookie from a legitimate user to impersonate their account.
However, the vulnerability does not completely bypass the target account’s multi-factor authentication, meaning attackers would still need to complete MFA to gain full access.
Despite this limitation, the ability to impersonate users and reach the MFA stage represents a serious security risk for organizations using Devolutions Server for credential and access management.
The impersonation vulnerability is classified as an improper privilege management issue. It demonstrates a fundamental flaw in the authentication system’s validation of user identity during the pre-MFA phase.
This type of vulnerability is particularly concerning for businesses that rely on Devolutions Server to manage privileged access across their infrastructure, as it could allow attackers to move laterally within systems or escalate their privileges.
A second vulnerability, CVE-2025-12808, with a High CVSS score of 7.1, has also been disclosed.
This flaw involves improper access control that allows view-only users to access sensitive third-level nested fields.
Specifically, users with limited view-only permissions can retrieve password lists and custom values from sensitive fields, thereby disclosing passwords.
This vulnerability undermines the role-based access control system, allowing lower-privileged users to access information they should not be able to see.
Devolutions has addressed both vulnerabilities with security updates. Organizations using Devolutions Server should immediately upgrade to version 2025.3.6.0 or higher, or, if running an older release branch, to version 2025.2.17.0 or higher.
The company published the initial security advisory on November 6, 2025, providing organizations with details on the vulnerability and remediation paths.
The simultaneous disclosure of these two vulnerabilities highlights the importance of maintaining up-to-date access control systems and regularly auditing authentication mechanisms.
Organizations managing privileged accounts through Devolutions Server should prioritize applying these patches to prevent potential unauthorized access and account impersonation attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.