CVE-2026-0610 is a critical SQL Injection vulnerability identified in the remote-sessions functionality of Devolutions Server versions 2025.3.1 through 2025.3.12. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), allowing an attacker to inject arbitrary SQL code. This can enable unauthorized access to sensitive data, modification or deletion of database records, and potentially full compromise of the server's backend database. The vulnerability does not require authentication, increasing its risk profile, and can be exploited remotely if the attacker has network access to the affected service. No CVSS score has been assigned yet, and no known exploits are currently in the wild. Devolutions Server is widely used for managing remote sessions and credentials, making this vulnerability particularly dangerous as it could expose critical credentials and session data. The lack of available patches means organizations must rely on interim mitigations until official fixes are released. The vulnerability highlights the importance of secure input validation and parameterized queries in preventing SQL Injection attacks.

For European organizations, the impact of CVE-2026-0610 could be significant, especially for those in finance, government, healthcare, and critical infrastructure sectors that rely on Devolutions Server for secure remote access and credential management. Exploitation could lead to unauthorized disclosure of sensitive data, including credentials and session information, potentially enabling further lateral movement within networks. Data integrity could be compromised by unauthorized modification or deletion of records, disrupting business operations. Availability might also be affected if attackers manipulate the database to cause service outages. The vulnerability's remote exploitability without authentication increases the risk of widespread attacks, potentially affecting multiple organizations across Europe. Additionally, regulatory compliance risks arise from potential data breaches under GDPR and other data protection laws. Organizations with extensive remote workforce setups or third-party access via Devolutions Server are particularly vulnerable.

Until official patches are released by Devolutions, European organizations should implement several specific mitigations: 1) Restrict network access to Devolutions Server instances by enforcing strict firewall rules and network segmentation, limiting exposure to trusted IP addresses only. 2) Monitor database and application logs for unusual or suspicious SQL queries indicative of injection attempts. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection payloads targeting the remote-sessions component. 4) Conduct immediate code reviews and security testing on any custom integrations with Devolutions Server to ensure no additional injection vectors exist. 5) Enforce the principle of least privilege on database accounts used by Devolutions Server to minimize potential damage from exploitation. 6) Prepare for rapid patch deployment by establishing a vulnerability response plan and maintaining up-to-date backups of critical data. 7) Educate IT and security teams about this vulnerability and encourage vigilance for indicators of compromise. These measures will help reduce the attack surface and limit potential damage until a vendor patch is available.