Impact
Improper enforcement of a mandatory multi‑factor authentication policy in Devolutions Server 2026.2.9.‑required check and authenticate without completing the second factor. The issue manifests when the system encounters an invalid default MFA value, causing the enforcement logic to be skipped. With this bypass, an attacker can obtain the same level of access as the authenticated user, potentially exposing any data or actions the user is permitted.
Affected Systems
Devolutions Server version 2026.2.9.0 is impacted. The MFA enforcement component of that release and would affect any deployment that relies on Devolutions Server’s default configuration for MFA settings. No other product versions or configurations are listed in the advisory.
Risk and Exploitability
The attack vector is straightforward: an attacker with valid user credentials can log in and avoid completing multi‑factor authentication. An EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Although the exploitation likelihood is low, the flaw permits bypassing a core authentication control, enabling an attacker to gain the same access level as the authenticated user and compromising confidentiality and the integrity of data.
OpenCVE Enrichment