CVE-2025-2499

Published: Mar 26, 2025Modified: Jul 2, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions—specifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.

Affected (4)

Products: Devolutions: Remote Desktop Manager

Devolutions

1 product

Remote Desktop Manager

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Devolutions Remote Desktop Manager	Before 2024.3.31.0
Devolutions Remote Desktop Manager	From 2025.1.24.0 to 2025.1.26.0
Devolutions Remote Desktop Manager	Before 2024.3.31.0
Devolutions Remote Desktop Manager	From 2025.1.24.0 to 2025.1.26.0

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (1)

https://devolutions.net/security/advisories/DEVO-2025-0005/

Source: security@devolutions.net

Vendor Advisory

Timeline

No history available yet.