CVE-2026-5175 is a security vulnerability identified in Devolutions Server, specifically affecting versions from 2026.1.6 through 2026.1.11. The flaw lies in the multi-factor authentication (MFA) management API, where improper access control allows an authenticated user to manipulate their own MFA settings. By sending specially crafted HTTP requests, an attacker can delete their configured MFA factors, effectively disabling MFA for their account and reverting authentication to password-only. This vulnerability is classified under CWE-862, which relates to missing or incorrect authorization, indicating that the API does not properly verify whether the authenticated user is authorized to perform MFA deletion operations. The absence of a CVSS score suggests this is a newly disclosed issue without a formal severity rating, but the impact on account security is significant. No public exploits have been reported yet, but the vulnerability could be leveraged by attackers who have valid credentials to weaken account security, increasing the risk of account takeover through password compromise. The issue affects a critical security control—MFA—that is widely used to protect sensitive systems and data. Since Devolutions Server is used for privileged access management and remote connection management, exploitation could facilitate unauthorized access to critical infrastructure if combined with credential theft or phishing attacks.

The primary impact of CVE-2026-5175 is the degradation of account security by allowing attackers to disable MFA protections on their own accounts. This reduces the authentication strength to password-only, increasing the risk of account compromise through credential theft, brute force, or phishing. For organizations, this means that attackers with valid credentials can bypass a key security control, potentially gaining unauthorized access to sensitive systems managed via Devolutions Server. Given that Devolutions Server is often used in enterprise environments to manage privileged credentials and remote sessions, exploitation could lead to lateral movement, data breaches, or disruption of critical services. The vulnerability does not allow direct unauthorized access but facilitates privilege escalation by weakening authentication. The lack of known exploits in the wild currently limits immediate risk, but the vulnerability presents a significant security gap that could be targeted in future attacks. Organizations relying on affected versions face increased risk of insider threats or compromised accounts being leveraged for further attacks.

To mitigate CVE-2026-5175, organizations should immediately upgrade Devolutions Server to a version where this vulnerability is patched once available. In the absence of a patch, restrict access to the MFA management API to trusted administrators and monitor API usage for suspicious activity. Implement network segmentation and strict access controls to limit who can authenticate to the server. Enforce strong password policies and consider additional compensating controls such as IP whitelisting or device-based authentication. Regularly audit user MFA configurations and logs to detect unauthorized changes. Educate users about the risks of credential compromise and encourage the use of hardware-based MFA tokens that are harder to disable. Finally, maintain an incident response plan to quickly address potential account compromises stemming from this vulnerability.