Critical Devolutions Server Flaw (CVE-2025-12485, CVSS 9.4) Allows User Impersonation via Pre-MFA Cookie Hijacking

Devolutions, a leading provider of privileged access management (PAM) and remote connection solutions, has released an urgent security advisory addressing two serious vulnerabilities in its Devolutions Server product.

The flaws — tracked as CVE-2025-12485 and CVE-2025-12808 — impact the self-hosted Devolutions Server, which is used by enterprises to control access to privileged accounts and business user passwords.

The first vulnerability, CVE-2025-12485, received a CVSS score of 9.4 (Critical) and stems from improper privilege management during pre-MFA cookie handling. According to Devolutions, a low-privileged authenticated user could impersonate another account by replaying a specific authentication token — known as the pre-MFA cookie.

“Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie,” the advisory explains.

While this vulnerability does not bypass multi-factor authentication (MFA) itself, it could allow an attacker who already has access to the system to escalate privileges or pivot laterally by masquerading as a higher-level user.

“This does not bypass the target account MFA verification step,” Devolutions clarified.

Such impersonation could lead to unauthorized access to critical assets, audit log manipulation, or configuration tampering within privileged management workflows — a serious concern for organizations relying on Devolutions Server for enterprise credential control.

The second vulnerability, CVE-2025-12808, carries a CVSS score of 7.1 (High) and arises from improper access control in Devolutions Server’s handling of nested fields.

In affected versions, a View-only user — typically restricted to non-editable access — can retrieve sensitive third-level nested fields that may contain custom values or plaintext credentials.

“Improper access control in Devolutions Server allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure,” the advisory warns.

This exposure could allow unauthorized users to harvest stored passwords or configuration secrets from the server’s database, undermining internal segregation-of-duty models designed to protect sensitive credential information.

Both vulnerabilities affect multiple versions of Devolutions Server 2025, with fixes available in the latest maintenance updates:

• Upgrade to Devolutions Server 2025.3.6.0 or higher
• Upgrade to Devolutions Server 2025.2.17.0 or higher

Devolutions emphasized that upgrading to these versions is the only effective remediation. No configuration workaround is available that fully mitigates the issue.

Related Posts:

• Devolutions Warns of Severe RDM Vulnerabilities Allowing Encrypted Communication Interception
• Security Alert: Hackers Can Access Google Accounts Without Passwords
• Google Spoofed in Sophisticated DKIM Replay Attack Exploiting Email Trust Mechanisms
• CVE-2023-42442: JumpServer Session Replay Download Bug Without Authentication