Description
Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.
Published: 2026-06-26
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from incorrect link resolution by display name in the custom PowerShell VPN editor. An authenticated attacker with write access to a shared workspace can create a VPN script link that collides with an existing display name, causing the system to resolve to the malicious script. This allows execution of PowerShell code in the context of another user, enabling arbitrary code execution within the workspace. The weakness is an unauthorized access flaw (CWE‑706).

Affected Systems

Affected vendor and product are Devolutions Remote Desktop Manager. The issue applies to releases 2026.2.5 through 2026.2.11 inclusive. Any instance configured with shared workspaces and users with write privileges is potentially vulnerable.

Risk and Exploitability

The CVSS score is not published, and EPSS data is unavailable. The vulnerability is not listed in CISA KEV. Exploitation requires authenticated access with write permissions to a shared workspace, which is a narrower precondition than remote unauthenticated access. An attacker can trigger the flaw via the VPN editor UI or API. Because the attacker would gain execution rights in another user's context, the potential damage is high, though the attack surface is limited to environments where such workspaces are present and shared among multiple users.

Generated by OpenCVE AI on June 26, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Remote Desktop Manager to version 2026.2.12 or later, where the display name collision logic has been corrected.
  • If upgrade cannot be performed immediately, restrict write permissions on shared workspaces to a minimal set of trusted users and enforce strict naming policies for VPN script links to prevent duplicate display names.
  • Perform an audit of existing VPN script links for duplicate display names and remove any unexpected or suspicious entries; as an interim workaround this helps block the execution of malicious scripts until a patch is applied.

Generated by OpenCVE AI on June 26, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Arbitrary PowerShell Execution via Display Name Collision in Remote Desktop Manager

Fri, 26 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.
Weaknesses CWE-706
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-26T19:25:32.593Z

Reserved: 2026-06-25T19:55:53.064Z

Link: CVE-2026-13372

cve-icon Vulnrichment

Updated: 2026-06-26T19:25:28.123Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses
  • CWE-706

    Use of Incorrectly-Resolved Name or Reference