CVE-2025-12808 is a vulnerability classified under CWE-284 (Improper Access Control) affecting Devolutions Server, a privileged access management solution widely used for managing credentials and remote connections. The flaw exists in versions 2025.2.15.0 and earlier through 2025.3.5.0, where users assigned only View-only permissions can bypass intended access restrictions to retrieve sensitive data nested at the third level within the system's data structures. Specifically, this includes password lists and custom values that should be protected from such low-privilege users. The vulnerability arises due to insufficient enforcement of access control policies on nested data elements, allowing unauthorized read access without requiring user interaction. The CVSS 3.1 base score of 6.5 reflects that the attack vector is network-based, with low attack complexity, requiring privileges but no user interaction, and results in high confidentiality impact without affecting integrity or availability. Although no exploits have been reported in the wild, the exposure of credentials can facilitate lateral movement and privilege escalation within affected environments. The vulnerability highlights a critical gap in the access control mechanisms of Devolutions Server, potentially undermining the security of sensitive credential stores.

For European organizations, this vulnerability poses a significant risk to the confidentiality of stored credentials managed by Devolutions Server. Unauthorized disclosure of passwords can lead to further compromise of internal systems, unauthorized access to critical infrastructure, and potential data breaches. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that rely on Devolutions Server for privileged access management are particularly vulnerable. The exposure of credentials can enable attackers to move laterally within networks, escalate privileges, and access sensitive data or disrupt operations. Given the medium severity and the requirement of only low privileges, insider threats or compromised low-privilege accounts could exploit this vulnerability. The lack of known exploits currently provides a window for proactive mitigation, but the risk remains high if attackers develop exploit code. The impact is amplified in environments with complex nested data structures and extensive use of custom values in password lists.

To mitigate CVE-2025-12808, organizations should prioritize upgrading Devolutions Server to the latest patched version once released by the vendor, as no patch links are currently available. In the interim, restrict View-only user permissions to the minimum necessary scope and audit existing user roles to ensure no unnecessary access to sensitive nested data. Implement strict monitoring and logging of access to credential stores to detect anomalous access patterns. Employ network segmentation and multi-factor authentication to reduce the risk of compromised low-privilege accounts being leveraged. Conduct regular security reviews of access control policies within Devolutions Server configurations, focusing on nested data access. Additionally, consider compensating controls such as encrypting sensitive fields at rest and in transit, and limiting API or interface exposure to trusted networks. Educate administrators and users about the risks of credential exposure and enforce strong password hygiene and rotation policies to minimize potential damage.