Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled.
The 'Disable password saving in vaults' setting is not properly enforced in the component responsible for handling connection entries. An authenticated user can bypass this restriction by creating or editing specific connection types, which allows permanent storage of credentials in a vault entry. The control mechanism (CWE-20: Improper Input Validation, CWE-295: Improper Certificate Validation) does not correctly verify the policy status across all save paths.
An attacker or unauthorized user can gain access to credentials (usernames and passwords) saved by other users within the same vault, which may lead to account takeover and further compromise of the environment's security.
Devolutions Remote Desktop Manager should be updated to a version newer than 2025.3.30 according to the vendor's recommendations available at https://devolutions.net/security/advisories/DEVO-2026-0005
Devolutions Remote Desktop Manager version 2025.3.30 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDevolutions Remote Desktop Manager
APPDevolutions≤ 2025.3.30.0
Related vulnerabilities
Pominięcie hasła master vault w Devolutions Remote Desktop Manager
Pomijanie uprawnień po stronie klienta w Devolutions Remote Desktop Manager na iOS
Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and e...
A remote code execution vulnerability in Remote Desktop Manager 2023.2.33 and earlier on Windows allows an a...
Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop...