anonhaven
Ad

CVE-2025-12808

MEDIUM CVSS 3.1: 6.5 EPSS 0.04%
Updated Nov 10, 2025
Devolutions
Parameter Value
CVSS 6.5 (MEDIUM)
Affected Versions 2025.3.2.0 — 2025.3.6.0
Fixed In 2025.2.17.0
Type CWE-284 (Improper Access Control)
Vendor Devolutions
Public PoC No

Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-284 Improper Access Control

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Devolutions Devolutions_Server
cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
 2025.2.17.0
Devolutions Devolutions_Server
cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
 2025.3.2.0 2025.3.6.0

References 1

https://devolutions.net/security/advisories/DEVO-2025-0016
security@devolutions.net
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-5175

Devolutions

5.0

CVE-2026-4989

Devolutions

4.3

CVE-2026-4927

Devolutions

6.5

CVE-2026-4925

Devolutions

5.0

CVE-2026-4924

Devolutions

8.2