Primary

Context

Devolutions Server and Remote Desktop Manager Authentication Bypass Vulnerability in Microsoft Entra ID

Vulnerability

Patched

An authentication bypass vulnerability has been identified in Devolutions Server and Remote Desktop Manager, both through version 2025.3.15.0. In the Microsoft Entra ID (Azure AD) authentication mode, this vulnerability allows an unauthenticated user to authenticate as any Entra ID user by using a forged JSON Web Token (JWT). The attack requires knowledge of the victim's email.

Impact

Exploitation of this vulnerability allows for unauthorized authentication as an arbitrary Entra ID user.

Remediation

Users are advised to upgrade to Devolutions Server version 2025.3.16 or higher. For Remote Desktop Manager, the recommended version is 2026.1.

Added: Mar 3, 2026, 10:48 PM

Updated: Mar 3, 2026, 10:48 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

6.2

remediation

8.3

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

6.2

remediation

8.3

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server and Remote Desktop Manager Authentication Bypass Vulnerability in Microsoft Entra ID

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating