CRITICAL🇵🇱 Wersja polska

CVE-2026-0610

CVSS 9.8v3.1pub. 2026-01-19upd. 2026-02-10

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

🤖 AI Analysis
How it works

The vulnerability results from inadequate validation and sanitization of input data passed to SQL queries in the remote-sessions module (CWE-89). An attacker can inject malicious SQL code fragments directly over the network without needing any credentials. The malicious queries are then executed by the database engine with application privileges.

Impact

An attacker can gain unauthorized access to sensitive data stored in the database, modify or delete data, and potentially take control of the system — which corresponds to a complete breach of confidentiality, integrity, and availability.

Mitigation & patch

Devolutions Server should be updated as soon as possible to a version higher than 2025.3.12, in accordance with the vendor's guidelines available at https://devolutions.net/security/advisories/DEVO-2026-0003/. Until the update is applied, it is recommended to restrict network access to the Devolutions Server instance only to trusted IP addresses.

Who is affected

Devolutions Server versions from 2025.3.1 to 2025.3.12 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Devolutions Server

    APP
    Devolutions
    2025.3.1.0 – 2025.3.14.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-3224CRITICAL9.8PL ✓ten sam produkt

Authentication bypass w Devolutions Server przez sfałszowany JWT (Entra ID)

CVE-2026-3130CRITICAL9.8PL ✓ten sam produkt

Devolutions Server: nieuprawnione usuwanie kont PAM przez bulk deletion

CVE-2026-3204CRITICAL9.8PL ✓ten sam produkt

Devolutions Server — spoofing komunikatu błędu przez nieprawidłową walidację danych wejściowych

CVE-2025-11957CRITICAL9.0PL ✓ten sam produkt

Devolutions Server – nieautoryzowane zatwierdzanie wniosków o dostęp tymczasowy

CVE-2025-6523CRITICAL9.5PL ✓ten sam produkt

Devolutions Server – pominięcie uwierzytelnienia przez brute force kodów awaryjnych