wid-sec-w-2026-0588 · Published 2026-03-03 · View on BSI CERT-Bund ↗

Devolutions Server and Remote Desktop Manager: Multiple Vulnerabilities

CVSS 9.8 CRITICAL

Risk Summary

Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL. Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion. Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

CVEs (4)

CVE-2026-3204 CVE-2026-3130 CVE-2026-3224 CVE-2026-2590

Affected Vendors

Devolutions

Affected Products (6)

Devolutions · Remote Desktop Manager <2026.1

Devolutions · Remote Desktop Manager 2026.1

Devolutions · Server <2026.1

Devolutions · Server 2026.1

Devolutions · Server <2025.3.16

Devolutions · Server 2025.3.16

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more