CRITICAL🇵🇱 Wersja polska

CVE-2026-3224

CVSS 9.8v3.1pub. 2026-03-03upd. 2026-03-05

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

🤖 AI Analysis
How it works

Devolutions Server in Microsoft Entra ID (Azure AD) authentication mode does not properly verify the signatures or contents of JSON Web Token (JWT) tokens. An attacker can craft their own JWT token, impersonating any user registered in Entra ID. The server accepts such a forged token as valid, resulting in granting an authenticated session without actual identity verification.

Impact

An attacker can log in as any Entra ID user without any credentials, gaining full access to resources, data, and functions available to the compromised account — including potential administrative access to Devolutions Server.

Mitigation & patch

Devolutions Server must be updated to a version newer than 2025.3.15.0 according to the manufacturer's recommendations published at https://devolutions.net/security/advisories/DEVO-2026-0005/

Who is affected

Devolutions Server version 2025.3.15.0 and earlier when configured with Microsoft Entra ID (Azure AD) authentication mode.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Devolutions Server

    APP
    Devolutions
    < 2025.3.16.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-3130CRITICAL9.8PL ✓ten sam produkt

Devolutions Server: nieuprawnione usuwanie kont PAM przez bulk deletion

CVE-2026-3204CRITICAL9.8PL ✓ten sam produkt

Devolutions Server — spoofing komunikatu błędu przez nieprawidłową walidację danych wejściowych

CVE-2026-0610CRITICAL9.8PL ✓ten sam produkt

SQL Injection w module remote-sessions Devolutions Server

CVE-2025-11957CRITICAL9.0PL ✓ten sam produkt

Devolutions Server – nieautoryzowane zatwierdzanie wniosków o dostęp tymczasowy

CVE-2025-6523CRITICAL9.5PL ✓ten sam produkt

Devolutions Server – pominięcie uwierzytelnienia przez brute force kodów awaryjnych