Critical Devolutions Server Vulnerability Enables User Impersonation via Pre-MFA Cookies
A significant security flaw has been identified in Devolutions Server, a widely utilized credential and access management solution. This vulnerability, designated as CVE-2025-12485, allows attackers with minimal access privileges to impersonate other user accounts by exploiting the handling of authentication cookies prior to the completion of multi-factor authentication (MFA).
Understanding the Vulnerability
The core issue lies in the improper management of authentication cookies generated during the initial login phase. When a user initiates a session, Devolutions Server creates temporary authentication cookies before the MFA process is finalized. These cookies, however, contain sufficient information that, if intercepted or replayed, can enable an attacker to assume the identity of another user within the system.
This vulnerability is particularly concerning due to its high severity rating, with a Common Vulnerability Scoring System (CVSS) score of 9.4. The exploit requires only network access and basic user privileges, without necessitating any user interaction. The potential impact spans confidentiality, integrity, and availability, posing a substantial risk to organizations relying on Devolutions Server for secure access management.
Technical Breakdown
An attacker with authenticated access and lower-level permissions can capture or replay a pre-MFA cookie associated with another user. By doing so, they can establish an unauthorized session, effectively impersonating the target user. It’s important to note that while this method allows for session hijacking, it does not bypass the MFA verification step entirely; the attacker would still need to satisfy the MFA requirements of the target account.
The implications of such unauthorized access are profound. Depending on the permissions of the compromised account, an attacker could access sensitive information, alter configurations, or perform administrative actions. Given that Devolutions Server is integral to managing privileged accounts and credentials, exploiting this vulnerability could lead to unauthorized access to critical systems, lateral movement within networks, and exposure of confidential data.
Mitigation and Recommendations
In response to this critical vulnerability, Devolutions has released security updates to address the issue. Organizations are strongly advised to upgrade to Devolutions Server version 2025.3.6.0 or higher, or version 2025.2.17.0 or higher, depending on their current deployment.
System administrators should prioritize the immediate patching of all Devolutions Server instances within their environments. Additionally, it is prudent to review access logs for any signs of suspicious account impersonation attempts or unusual authentication patterns that may indicate prior exploitation of this vulnerability.
Implementing robust monitoring and logging mechanisms can aid in the early detection of unauthorized access attempts. Furthermore, educating users about the importance of safeguarding authentication cookies and credentials is essential in mitigating the risk of such exploits.
Conclusion
The discovery of CVE-2025-12485 underscores the critical importance of diligent security practices in access management solutions. Organizations utilizing Devolutions Server must act swiftly to apply the necessary patches and review their security protocols to prevent potential exploitation. By staying vigilant and proactive, businesses can safeguard their systems against unauthorized access and maintain the integrity of their sensitive data.
