Devolutions Remote Desktop Manager versions 2025.3.30 and earlier do not correctly enforce the “Disable password saving in vaults” option when users create or edit certain connection types. Because the application does not validate this setting, an authenticated user can store passwords in vault entries even when password saving is turned off. The vulnerability arises from improper input validation (CWE‑20) and insecure credential storage enforcement (CWE‑295), leading to potential disclosure of sensitive credentials to other users or processes that can access the vault.

The problem affects copies of Devolutions Remote Desktop Manager 2025.3.30 and older running on Windows. Any user with authenticated access to the application can create or edit connection entries that contain passwords, allowing them to preserve those credentials in the vault regardless of the user‑selected setting.

The CVSS score of 9.8 indicates a high‑severity flaw. Exploitation requires legitimate authentication, but the attacker can then persist credentials that remain accessible to other users who can read the vault. EPSS indicates an extremely low probability of real‑world exploitation at the moment, and the flaw is not listed in CISA’s KEV catalog. The attack vector involves a legitimate user interface action within the application, so a user with appropriate role privileges can carry out the exploitation without advanced technical skills.