CVE-2022-3780 is a high-severity vulnerability classified under CWE-284 (Improper Access Control) affecting Devolutions Remote Desktop Manager versions 2022.3.7 and earlier. The vulnerability arises because database connections associated with deleted users remain active on MySQL data sources. This flaw allows unauthorized access whereby deleted users can continue to access sensitive data despite their accounts being removed. The vulnerability does not require any privileges or user interaction to exploit, and it can be triggered remotely over the network (AV:N/AC:L/PR:N/UI:N). The impact is primarily on confidentiality, as unauthorized users can read sensitive data from the database, but it does not affect integrity or availability. The scope is unchanged, meaning the vulnerability affects only the vulnerable component without extending to other components. The vulnerability was published on November 1, 2022, with a CVSS v3.1 score of 7.5, indicating a high severity level. No known exploits are currently reported in the wild. The root cause is improper session or connection termination logic that fails to close active database connections when user accounts are deleted, leading to persistent unauthorized access. This issue is critical in environments where Remote Desktop Manager is used to manage database connections and credentials, as it undermines access control mechanisms and could lead to data leakage or unauthorized data exposure.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data managed through Remote Desktop Manager, especially in sectors such as finance, healthcare, government, and critical infrastructure where database access control is paramount. Unauthorized access by deleted users could lead to exposure of confidential customer information, intellectual property, or internal operational data. This could result in regulatory non-compliance, particularly with GDPR requirements on data protection and access control, potentially leading to fines and reputational damage. Additionally, the persistence of active connections despite user deletion complicates incident response and user access audits, increasing the risk of insider threats or misuse of credentials. Organizations relying heavily on Remote Desktop Manager for centralized credential management and database access are particularly vulnerable, as this flaw undermines the trustworthiness of their access control policies.

1. Immediate upgrade to the latest version of Devolutions Remote Desktop Manager where this vulnerability is patched is the most effective mitigation. 2. Until patching is possible, implement manual monitoring and termination of database connections associated with deleted users on MySQL data sources to ensure no orphaned sessions remain active. 3. Enforce strict database-level access controls and auditing to detect and prevent unauthorized access from stale connections. 4. Regularly review and audit user accounts and active sessions in both Remote Desktop Manager and underlying databases to identify anomalies. 5. Consider implementing network segmentation and firewall rules to restrict database access only to authorized and authenticated users and systems. 6. Employ multi-factor authentication and robust credential management policies to reduce the risk of unauthorized access. 7. Enhance logging and alerting mechanisms to detect unusual database connection patterns that may indicate exploitation attempts. 8. Conduct security awareness training for administrators managing Remote Desktop Manager to ensure prompt revocation of access and session termination upon user deletion.