CVE-2026-4925 is a security vulnerability identified in Devolutions Server, specifically affecting versions from 2026.1.6 through 2026.1.11. The vulnerability is categorized under CWE-862, which relates to improper access control. The flaw exists in the users' multi-factor authentication (MFA) feature, where an authenticated user can bypass administrator-enforced restrictions to remove their own MFA configuration by sending a specially crafted request. This means that although administrators intend to enforce MFA policies to enhance security, this vulnerability allows users to circumvent those policies without requiring elevated privileges or administrator intervention. The vulnerability does not require exploitation by an unauthenticated attacker; it requires the attacker to have valid user credentials. However, the ability to disable MFA undermines the security controls designed to protect user accounts from compromise. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on March 26, 2026, and published on April 1, 2026. The lack of a patch link suggests that a fix may still be pending or recently released. This vulnerability highlights a critical weakness in access control mechanisms within the MFA management functionality of Devolutions Server, potentially allowing malicious insiders or compromised accounts to weaken authentication safeguards.

The primary impact of CVE-2026-4925 is the potential compromise of account security through the removal of MFA protections by authenticated users. Organizations relying on Devolutions Server to enforce MFA policies may find that users can disable these protections, increasing the risk of unauthorized access if user credentials are compromised. This can lead to elevated risks of data breaches, unauthorized system access, and lateral movement within networks. The integrity of authentication controls is undermined, which can affect confidentiality and availability if attackers leverage disabled MFA to escalate privileges or access sensitive resources. Since the vulnerability requires authenticated access, the threat is more significant in environments with many users or where credential compromise is feasible. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation. Overall, the vulnerability poses a high risk to organizations that depend on MFA for securing access to critical systems and data.

Organizations should prioritize applying any available patches or updates from Devolutions as soon as they are released to address this vulnerability. In the interim, administrators should implement strict monitoring of MFA configuration changes and audit logs to detect unauthorized modifications. Restricting user permissions to the minimum necessary and reviewing access control policies can reduce the risk of exploitation. Employing additional compensating controls such as anomaly detection for unusual authentication behavior and enforcing strong password policies can help mitigate risks. If possible, temporarily disabling user self-service MFA management until a patch is applied may prevent exploitation. Educating users about the importance of MFA and monitoring for suspicious activity related to authentication changes are also recommended. Finally, organizations should maintain an incident response plan that includes procedures for responding to potential MFA bypass attempts.