CVE-2025-13765 is a vulnerability classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. Specifically, in Devolutions Server versions before 2025.2.21 and 2025.3.9, email service credentials are inadvertently exposed to users who do not have administrative rights. This flaw arises from improper access control mechanisms within the server software, allowing non-privileged users to access configuration or credential data that should be restricted. The vulnerability is remotely exploitable without user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N), meaning an attacker with limited privileges but network access can retrieve sensitive credentials without needing to trick a user. The CVSS base score of 4.3 reflects a medium severity, primarily due to the limited privileges required and the impact confined to confidentiality loss. No integrity or availability impacts are noted. The exposure of email service credentials can facilitate further attacks such as unauthorized email access, phishing campaigns, or lateral movement within an organization. No public exploits have been reported yet, but the presence of sensitive credential leakage makes this a notable risk for organizations relying on Devolutions Server for secure remote access and password management.

For European organizations, the exposure of email service credentials can lead to significant confidentiality breaches, potentially compromising internal communications and enabling phishing or spear-phishing attacks. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that depend on secure email services and remote access tools are particularly vulnerable. Unauthorized access to email credentials can also facilitate broader network infiltration, data exfiltration, and disruption of business operations. The medium severity suggests that while the vulnerability does not directly impact system integrity or availability, the indirect consequences of credential compromise could be severe. Given the widespread use of Devolutions Server in enterprise environments across Europe, especially in countries with strong IT service sectors and regulatory requirements for data protection (e.g., Germany, France, UK), the potential impact is considerable. Additionally, the vulnerability could undermine compliance with GDPR if personal data is exposed or misused following credential compromise.

To mitigate CVE-2025-13765, organizations should immediately upgrade Devolutions Server to versions 2025.2.21 or later, or 2025.3.9 or later, where the vulnerability is patched. Until patches are applied, restrict user permissions rigorously to ensure that only trusted administrators have access to sensitive configuration and credential information. Implement network segmentation to limit access to the Devolutions Server management interfaces. Monitor logs for unusual access patterns or attempts to retrieve credential data by non-administrative users. Employ multi-factor authentication (MFA) for all users accessing the server to reduce the risk of credential misuse. Regularly audit user roles and permissions to ensure the principle of least privilege is enforced. Additionally, consider encrypting stored credentials and using vault solutions that minimize direct exposure of sensitive information. Conduct phishing awareness training to prepare users for potential attacks leveraging compromised credentials.