Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
Devolutions Server in Microsoft Entra ID (Azure AD) authentication mode does not properly verify the signatures or contents of JSON Web Token (JWT) tokens. An attacker can craft their own JWT token, impersonating any user registered in Entra ID. The server accepts such a forged token as valid, resulting in granting an authenticated session without actual identity verification.
An attacker can log in as any Entra ID user without any credentials, gaining full access to resources, data, and functions available to the compromised account — including potential administrative access to Devolutions Server.
Devolutions Server must be updated to a version newer than 2025.3.15.0 according to the manufacturer's recommendations published at https://devolutions.net/security/advisories/DEVO-2026-0005/
Devolutions Server version 2025.3.15.0 and earlier when configured with Microsoft Entra ID (Azure AD) authentication mode.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDevolutions Server
APPDevolutions< 2025.3.16.0
Related vulnerabilities
Devolutions Server: nieuprawnione usuwanie kont PAM przez bulk deletion
Devolutions Server — spoofing komunikatu błędu przez nieprawidłową walidację danych wejściowych
SQL Injection w module remote-sessions Devolutions Server
Devolutions Server – nieautoryzowane zatwierdzanie wniosków o dostęp tymczasowy
Devolutions Server – pominięcie uwierzytelnienia przez brute force kodów awaryjnych