Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
The behavioral control mechanism (CWE-841) is not properly enforced during bulk deletion operations. An attacker with account deletion privileges can simultaneously select a PAM account currently checked out along with at least one unchecked account, then perform the bulk deletion operation. The system incorrectly allows the entire operation, failing to block deletion of an account in active use.
An attacker can permanently delete a PAM account actively used by another user, which may interrupt ongoing privileged sessions, destroy authentication credentials, and compromise the integrity and availability of the privileged access management system.
Update Devolutions Server to a version newer than 2025.3.15. Detailed information about available patches can be found in the official vendor security advisory: https://devolutions.net/security/advisories/DEVO-2026-0005
Devolutions Server version 2025.3.15 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDevolutions Server
APPDevolutions< 2025.3.16.0
Related vulnerabilities
Devolutions Server â spoofing komunikatu bĆÄdu przez nieprawidĆowÄ walidacjÄ danych wejĆciowych
Authentication bypass w Devolutions Server przez sfaĆszowany JWT (Entra ID)
SQL Injection w module remote-sessions Devolutions Server
Devolutions Server â nieautoryzowane zatwierdzanie wnioskĂłw o dostÄp tymczasowy
Devolutions Server â pominiÄcie uwierzytelnienia przez brute force kodĂłw awaryjnych