Description
SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
Published: 2026-01-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

An SQL Injection flaw exists in the remote-sessions component of Devolutions Server, allowing an attacker to inject arbitrary SQL statements into queries that are executed against the server’s database. Classified as CWE-89, this vulnerability can lead to exposure or alteration of sensitive data stored on the server and may compromise the integrity of the database if user input is not properly sanitized. The impact is a significant risk to confidentiality and integrity, potentially allowing a malicious actor to exfiltrate data, modify records, or disrupt application functionality. The CVSS score of 9.8 reflects a severe risk, but the EPSS score of less than 1% indicates that exploitation probability is currently very low.

Affected Systems

Devolutions Server version 2025.3.1 through 2025.3.12 are affected.

Risk and Exploitability

The vulnerability can be exploited remotely via the remote‑sessions interface, requiring network access and valid authentication to submit malicious input. It is listed as a high‑severity weakness; however, its EPSS score indicates that exploitation is unlikely at present, and it is not catalogued in CISA KEV. Despite the low exploitation probability, the potential damage is substantial if an attacker successfully injects SQL commands.

Generated by OpenCVE AI on April 18, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Devolutions Server update that addresses CVE-2026-0610.
  • If a patch cannot be applied immediately, disable or remove the remote‑sessions feature until the vulnerability is fixed.
  • Restrict access to the remote‑session endpoint to trusted IP ranges and enforce strong authentication policies.
  • Monitor database logs for anomalous queries that may indicate an attempted injection attack.

Generated by OpenCVE AI on April 18, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title Remote SQL Injection in Devolutions Server Remote Sessions

Tue, 10 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions devolutions Server
Vendors & Products Devolutions
Devolutions devolutions Server

Mon, 19 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
Description SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
Weaknesses CWE-89
References

Subscriptions

Devolutions Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-01-20T15:05:32.415Z

Reserved: 2026-01-05T16:11:38.393Z

Link: CVE-2026-0610

cve-icon Vulnrichment

Updated: 2026-01-20T15:05:26.871Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T15:15:50.080

Modified: 2026-02-10T15:18:15.630

Link: CVE-2026-0610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses