CVE-2025-12808 is a vulnerability classified under CWE-284 (Improper Access Control) affecting Devolutions Server versions 2025.3.5.0 and earlier. The issue allows users assigned only View-only permissions to retrieve sensitive information from third-level nested fields within the application’s data structures. Specifically, these fields include password lists and custom values that should be restricted to higher privilege levels. The root cause is insufficient enforcement of access control policies on nested data elements, enabling privilege escalation in data visibility without requiring administrative or write permissions. This flaw can lead to unauthorized disclosure of stored credentials, undermining the confidentiality of sensitive information managed by the server. The vulnerability does not require user interaction and can be exploited remotely by authenticated View-only users, broadening the attack surface. Although no active exploits have been reported, the potential impact is significant due to the nature of the exposed data. Devolutions Server is commonly used for privileged access management and password vaulting in enterprise environments, making this vulnerability particularly critical for organizations relying on it to secure sensitive credentials. The absence of a CVSS score necessitates an assessment based on impact and exploitability factors, which indicate a high severity level. The vendor has not yet released patches, so organizations must monitor for updates and consider interim mitigations.

The primary impact of CVE-2025-12808 is the unauthorized disclosure of sensitive credential information, including password lists and custom values, to users with only View-only access. For European organizations, this can lead to significant confidentiality breaches, enabling attackers or insider threats to gain access to critical systems by leveraging exposed credentials. The integrity of access control policies is compromised, as users can bypass intended restrictions on sensitive data visibility. This exposure increases the risk of lateral movement within networks, privilege escalation, and potential data exfiltration or sabotage. The availability impact is indirect but may arise if attackers use the disclosed credentials to disrupt services or deploy ransomware. Organizations in sectors such as finance, government, healthcare, and critical infrastructure, which often use privileged access management solutions like Devolutions Server, face heightened risks. The vulnerability’s exploitation could undermine trust in security controls and lead to regulatory penalties under GDPR if personal data is involved. The lack of known exploits currently provides a window for proactive defense, but the ease of exploitation by authenticated View-only users elevates urgency for mitigation.

1. Monitor Devolutions’ official channels for the release of security patches addressing CVE-2025-12808 and apply them promptly once available. 2. Until patches are released, restrict View-only user accounts to the minimum necessary scope and review their permissions to ensure no unnecessary access to sensitive nested fields. 3. Implement network segmentation and access controls to limit which users and systems can connect to the Devolutions Server, reducing exposure to potentially malicious View-only users. 4. Enable detailed logging and monitoring of access to sensitive data within Devolutions Server to detect unusual or unauthorized retrieval attempts. 5. Conduct regular audits of user roles and permissions to ensure compliance with the principle of least privilege. 6. Consider deploying compensating controls such as multi-factor authentication for all users, including View-only roles, to reduce the risk of compromised accounts. 7. Educate administrators and security teams about this vulnerability to increase awareness and readiness to respond to potential exploitation attempts. 8. If feasible, isolate the Devolutions Server environment from less trusted networks and users to minimize attack surface.