CVE-2025-6741 is a vulnerability classified under CWE-284 (Improper Access Control) affecting Devolutions Server versions 2025.2.2.0 through 2025.2.4.0 and all versions 2025.1.11.0 and earlier. The flaw resides in the secure message component of the Devolutions Server, specifically in the handling of secure message entry attachments. An authenticated user can exploit this vulnerability to access and steal unauthorized entries, which implies that the access control mechanisms governing attachment retrieval or viewing are insufficiently enforced. This could allow a user with valid credentials but without proper authorization to exfiltrate sensitive data belonging to other users or system components. The vulnerability does not require privilege escalation beyond authentication but leverages improper enforcement of access restrictions within the application logic. There are no known exploits in the wild as of the publication date, and no CVSS score has been assigned yet. The vulnerability affects a critical component of Devolutions Server, a privileged access management and remote connection management platform widely used in enterprise environments to secure and manage credentials and remote sessions.

For European organizations, the impact of this vulnerability could be significant, especially for those relying on Devolutions Server for managing privileged credentials and remote access. Unauthorized disclosure of sensitive entries could lead to credential theft, lateral movement within networks, and potential compromise of critical infrastructure or sensitive data. This could result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and operational disruptions. Given that Devolutions Server is often deployed in sectors such as finance, healthcare, government, and critical infrastructure, the improper access control flaw could undermine trust in privileged access management solutions and expose organizations to targeted attacks. The requirement for authentication limits the attack surface to insiders or compromised accounts, but the risk remains high due to the sensitive nature of the data accessible via the server.

To mitigate this vulnerability, European organizations should immediately identify and inventory all Devolutions Server instances in their environment. Since no patch links are currently available, organizations should apply compensating controls such as restricting access to the secure message component to only highly trusted users, enforcing strict network segmentation and access control policies, and monitoring logs for unusual access patterns to secure message attachments. Multi-factor authentication (MFA) should be enforced for all users with access to Devolutions Server. Organizations should also consider temporarily disabling the secure message entry attachment feature if feasible until an official patch is released. Regular audits of user permissions and session activities should be conducted to detect potential abuse. Once a patch becomes available from Devolutions, it should be applied promptly. Additionally, organizations should educate users about the risks of credential sharing and enforce the principle of least privilege to minimize exposure.