SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
The vulnerability results from inadequate validation and sanitization of input data passed to SQL queries in the remote-sessions module (CWE-89). An attacker can inject malicious SQL code fragments directly over the network without needing any credentials. The malicious queries are then executed by the database engine with application privileges.
An attacker can gain unauthorized access to sensitive data stored in the database, modify or delete data, and potentially take control of the system — which corresponds to a complete breach of confidentiality, integrity, and availability.
Devolutions Server should be updated as soon as possible to a version higher than 2025.3.12, in accordance with the vendor's guidelines available at https://devolutions.net/security/advisories/DEVO-2026-0003/. Until the update is applied, it is recommended to restrict network access to the Devolutions Server instance only to trusted IP addresses.
Devolutions Server versions from 2025.3.1 to 2025.3.12 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDevolutions Server
APPDevolutions2025.3.1.0 – 2025.3.14.0 (bez)
Related vulnerabilities
Authentication bypass w Devolutions Server przez sfałszowany JWT (Entra ID)
Devolutions Server: nieuprawnione usuwanie kont PAM przez bulk deletion
Devolutions Server — spoofing komunikatu błędu przez nieprawidłową walidację danych wejściowych
Devolutions Server – nieautoryzowane zatwierdzanie wniosków o dostęp tymczasowy
Devolutions Server – pominięcie uwierzytelnienia przez brute force kodów awaryjnych