Description
Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
Published: 2026-01-19
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass / Unauthorized Access
Action: Patch
AI Analysis

Impact

The vulnerability is an incorrect authorization flaw in the virtual gateway component of Devolutions Server. It allows attackers to bypass configured deny‑IP rules, giving them unintended network access to internal resources that should be blocked. This results in unauthorized access and potential compromise of data confidentiality and integrity.

Affected Systems

Devolutions Server, versions 2025.3.1 through 2025.3.12.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network‑based; an attacker who can reach the virtual gateway component could target it and exploit the authorization bypass.

Generated by OpenCVE AI on April 18, 2026 at 05:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a version newer than 2025.3.12 to apply the vendor‑supplied fix.
  • Verify that deny‑IP rules are correctly defined and enforce them at the network perimeter.
  • If the virtual gateway component is not required, consider disabling or removing it to reduce the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 05:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions devolutions Server
Vendors & Products Devolutions
Devolutions devolutions Server

Mon, 19 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
Weaknesses CWE-863
References

Subscriptions

Devolutions Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-01-20T15:02:33.576Z

Reserved: 2026-01-15T21:15:42.207Z

Link: CVE-2026-1007

cve-icon Vulnrichment

Updated: 2026-01-20T14:59:49.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T15:15:50.220

Modified: 2026-02-10T16:59:28.517

Link: CVE-2026-1007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses