Devolutions Server Vulnerability Let Attackers Impersonate Users Using Pre-MFA Cookie

A critical vulnerability in Devolutions Server could allow attackers with low-level access to impersonate other user accounts by exploiting how the application handles authentication cookies before multi-factor authentication is completed.

The security flaw, tracked as CVE-2025-12485, stems from improper privilege management during pre-MFA cookie handling.

When users log in to Devolutions Server, the application generates temporary authentication cookies before the MFA verification step.

However, these cookies contain enough information to allow attackers to bypass the initial authentication layer and access another user’s account.

The Vulnerability and How It Works

The critical severity rating of 9.4 CVSS reflects the serious nature of this vulnerability. According to CVSS 4.0 metrics, an attacker only needs network access, basic privileges, and no user interaction to exploit this flaw.

The vulnerability impacts the confidentiality, integrity, and availability of user accounts and stored credentials.

Field	Value
CVE ID	CVE-2025-12485
Vulnerability Type	Improper Privilege Management
CVSS Score	9.4 (Critical)
Affected Product	Devolutions Server

An authenticated user with lower-level permissions can capture or replay a pre-MFA cookie belonging to another user.

This allows them to assume the user’s identity within the system without possessing the target account’s actual credentials.

However, it’s important to note that this exploit does not bypass the MFA verification step entirely; the target account’s multi-factor authentication would still need to be satisfied separately.

This means attackers can establish unauthorized sessions and potentially access sensitive information, modify configurations, or perform administrative actions depending on the compromised account’s permissions.

Devolutions Server is widely used for credential and access management across organizations. A successful attack could lead to unauthorized access to privileged accounts, lateral movement within networks, and exposure of sensitive credentials stored in the vault.

Organizations running Devolutions Server should treat this as a high-priority security issue requiring immediate remediation.

Devolutions has released security updates addressing this vulnerability. Organizations must upgrade to one of the following versions: Devolutions Server 2025.3.6.0 or higher and Devolutions Server 2025.2.17.0 or higher.

System administrators should prioritize patching all instances of Devolutions Server in their environments immediately.

Additionally, organizations should review access logs for any suspicious account impersonation attempts or unusual authentication patterns that might indicate exploitation of this vulnerability before patching is applied.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Devolutions Server Vulnerability Let Attackers Impersonate Users Using Pre-MFA Cookie appeared first on Cyber Security News.