CVE-2025-11957 is an authorization bypass vulnerability categorized under CWE-639, affecting Devolutions Server versions 2025.2.12.0 and earlier. The vulnerability arises from improper authorization checks in the temporary access workflow, which is designed to grant time-limited access to vaults and entries. An authenticated user with basic privileges can manipulate the API requests to self-approve or approve temporary access requests for other users, effectively elevating their access rights without proper approval. This bypass allows unauthorized access to sensitive credentials and secrets stored within the vaults, potentially compromising the confidentiality and integrity of critical systems. The vulnerability is exploitable remotely over the network without user interaction, but requires low privileges (authenticated basic user) and has high attack complexity due to the need to craft specific API requests. The CVSS 4.0 vector indicates high impact on confidentiality, integrity, and availability, with scope and security requirements also high. Although no public exploits are reported yet, the critical nature of the flaw demands urgent attention. Devolutions Server is widely used for privileged access management, making this vulnerability a significant risk for organizations relying on it to secure access to sensitive infrastructure.

For European organizations, this vulnerability poses a severe risk to the security of privileged credentials and secrets managed within Devolutions Server. Unauthorized access to vaults can lead to credential theft, lateral movement, and potential full compromise of critical IT infrastructure. This can result in data breaches, operational disruption, and regulatory non-compliance, especially under GDPR and other data protection laws. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely heavily on privileged access management are particularly vulnerable. The ability for a low-privileged authenticated user to escalate access undermines trust in access controls and can facilitate insider threats or external attackers who have gained basic user credentials. The network-exploitable nature increases the attack surface, potentially allowing remote exploitation from within corporate networks or VPNs.

1. Immediately upgrade Devolutions Server to a version that addresses CVE-2025-11957 once available. 2. Until a patch is released, restrict basic user privileges and review temporary access workflows to limit approval capabilities. 3. Implement strict network segmentation and access controls to limit who can authenticate to the Devolutions Server. 4. Monitor API usage logs for unusual or unauthorized approval activities, focusing on temporary access requests. 5. Enforce multi-factor authentication (MFA) for all users accessing the server to reduce risk of credential misuse. 6. Conduct regular audits of vault access and temporary access approvals to detect anomalies. 7. Educate administrators and users about the risks of improper access approvals and encourage prompt reporting of suspicious behavior. 8. Consider deploying Web Application Firewalls (WAF) or API gateways with custom rules to detect and block suspicious crafted API requests targeting the temporary access workflow.