Critical Devolutions Server Flaw (CVE-2025-13757) Allows Authenticated SQL Injection to Steal All Passwords
Ddos 
Devolutions has released urgent security updates for its flagship self-hosted password management solution, Devolutions Server, addressing three distinct vulnerabilities that could expose sensitive credentials. The most severe of the batch involves a high-risk SQL injection flaw that could allow attackers to steal or alter critical data.
The most concerning discovery is CVE-2025-13757, which carries a critical CVSS score of 9.4. This vulnerability lies within the system’s logging mechanism.
According to the advisory, the flaw is “an SQL injection via the DateSortField parameter in last usage logs.” This oversight “allows authenticated users to exfiltrate or modify data.” By manipulating this specific parameter, an attacker with existing access could potentially bypass standard security controls to query the underlying database directly.
The second vulnerability, CVE-2025-13758 (CVSS 5.1), highlights a flaw in how the server transmits sensitive information. Typically, Devolutions Server splits data requests into two parts: a general request for metadata (name, username, date) and a separate /sensitive-data request for credentials like passwords when needed.
However, researchers found that for specific entry types, the system “improperly included passwords in the first request.” This means that simply viewing a list of entries could inadvertently transmit passwords over the network before the user explicitly requested to see them.
The final issue, CVE-2025-13765 (CVSS 4.9), affects the email service configuration API. The report notes that this vulnerability “returned email service passwords to users without administrative rights when multiple email services where configured.” This could allow standard users to gain unauthorized access to the organization’s email infrastructure credentials.
Devolutions is urging all administrators to patch their instances immediately to close these security gaps. The vulnerabilities are resolved in the following versions:
- Devolutions Server 2025.2.21 or higher
- Devolutions Server 2025.3.9 or higher
Organizations using Devolutions Server to control access to privileged accounts and business user passwords should prioritize this update to maintain the integrity of their secrets management infrastructure.
Related Posts:
- Critical Devolutions Server Flaw (CVE-2025-12485, CVSS 9.4) Allows User Impersonation via Pre-MFA Cookie Hijacking
- Devolutions Warns of Severe RDM Vulnerabilities Allowing Encrypted Communication Interception
- Microsoft modifies open source code and causes RCE flaw in Windows Defender
Donate