Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allows an attacker that has compromised an access to an RDM instance to bypass the vault master password via the offline mode feature.
The vulnerability results from improper authentication implementation (CWE-287) in the vault password function. An attacker who has gained access to the Remote Desktop Manager instance can use the offline mode feature to bypass the master password verification protecting the vault. This allows access to encrypted resources without knowing the correct password.
An attacker with compromised access to an RDM instance can gain full access to vault contents — including stored credentials, connection configurations, and other sensitive data — without needing to provide the correct master password.
Devolutions Remote Desktop Manager should be updated to a version newer than 2024.1.31.0. Detailed information about available patches can be found in the vendor's official security bulletin: https://devolutions.net/security/advisories/DEVO-2024-0008
Devolutions Remote Desktop Manager version 2024.1.31.0 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDevolutions Remote Desktop Manager
APPDevolutions< 2024.1.32.0
Related vulnerabilities
Błędne egzekwowanie zakazu zapisywania haseł w Devolutions Remote Desktop Manager
Pomijanie uprawnień po stronie klienta w Devolutions Remote Desktop Manager na iOS
Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and e...
A remote code execution vulnerability in Remote Desktop Manager 2023.2.33 and earlier on Windows allows an a...
Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop...