CVE-2025-12485

Summary

Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does not bypass the target account MFA verification step.

This issue affects the following versions :

  • Devolutions Server 2025.3.2.0 through 2025.3.5.0

Devolutions Server 2025.2.15.0 and earlier

Affected Software

VendorProductVersion RangeStatus
DevolutionsServer2025.3.2.0 <= 2025.3.5.0affected
DevolutionsServer0 <= 2025.2.15.0affected

Weaknesses

  • CWE-269: CWE-269 Improper Privilege Management

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References