Critical Devolutions Server Flaw (CVE-2025-13757) (CVSS 9.4) Allows Authenticated SQL Injection to Steal All Passwords

Estimated reading time: 10 minutes

Key Takeaways:

  • Critical SQL injection vulnerability (CVE-2025-13757) in Devolutions Server allows authenticated users to steal or modify sensitive data.
  • Other vulnerabilities (CVE-2025-13758, CVE-2025-13765) expose passwords through improper data handling and API access.
  • Immediate patching to versions 2025.2.21 or higher, or 2025.3.9 or higher is crucial to mitigate risks.
  • Organizations should implement comprehensive security policies, continuous monitoring, and supply chain risk assessments.
  • PurpleOps offers services to help organizations protect themselves against vulnerabilities and cyber threats.

Table of Contents:

Details of the Devolutions Server Vulnerabilities

Devolutions has issued security updates for its self-hosted password management solution, Devolutions Server, to address three vulnerabilities. The most critical of these, CVE-2025-13757, allows for authenticated SQL injection that could lead to the theft or alteration of sensitive data, including passwords. This post details the vulnerabilities and their potential impact.

Devolutions Server is a password management solution designed to control access to privileged accounts and business user passwords. The newly discovered vulnerabilities present significant risks to organizations relying on this system.

The most severe vulnerability, CVE-2025-13757, carries a CVSS score of 9.4 and stems from an SQL injection flaw within the system’s logging mechanism. Specifically, the vulnerability resides in the DateSortField parameter used in last usage logs. According to Devolutions’ advisory, this flaw “allows authenticated users to exfiltrate or modify data.” By manipulating this parameter, an attacker with existing access to the system could bypass security controls and directly query the underlying database. This could enable the extraction of sensitive information, including user credentials and other confidential data.

The second vulnerability, CVE-2025-13758, has a CVSS score of 5.1 and concerns the transmission of sensitive information. Devolutions Server typically separates data requests into two parts: a general request for metadata (e.g., name, username, date) and a separate /sensitive-data request for credentials like passwords. However, researchers discovered that for certain entry types, the system “improperly included passwords in the first request.” This means that simply viewing a list of entries could inadvertently transmit passwords over the network, even before a user explicitly requests to see them. This behavior increases the risk of exposure if network traffic is intercepted or monitored.

The third vulnerability, CVE-2025-13765, has a CVSS score of 4.9 and affects the email service configuration API. The report indicates that this vulnerability “returned email service passwords to users without administrative rights when multiple email services where configured.” This could allow standard users to gain unauthorized access to the organization’s email infrastructure credentials. This is of particular concern to companies needing supply-chain risk monitoring.

Impact and Mitigation

The successful exploitation of these vulnerabilities could have severe consequences:

  • Credential Theft: Attackers could steal passwords and other sensitive data stored within Devolutions Server, gaining unauthorized access to critical systems and applications.
  • Data Modification: The SQL injection flaw could allow attackers to modify data within the database, potentially altering configurations, deleting records, or injecting malicious code.
  • Unauthorized Access to Email Infrastructure: Exposure of email service passwords could lead to unauthorized access to an organization’s email systems, allowing attackers to send phishing emails, intercept sensitive communications, or compromise email accounts.

Devolutions has released updates to address these vulnerabilities. It is crucial that administrators apply the patches immediately. The vulnerabilities are resolved in the following versions:

  • Devolutions Server 2025.2.21 or higher
  • Devolutions Server 2025.3.9 or higher

Organizations are advised to prioritize the update to maintain the integrity of their secrets management infrastructure. This incident also highlights the importance of continuous breach detection and incident response planning.

Technical Analysis

The SQL injection vulnerability (CVE-2025-13757) is located within the DateSortField parameter of the last usage logs functionality. The application fails to properly sanitize user-supplied input before incorporating it into an SQL query. This allows an attacker to inject arbitrary SQL code into the query, potentially gaining access to the entire database.

A technical user could exploit this flaw by crafting a malicious DateSortField parameter that includes SQL injection payloads. For example, an attacker could use techniques like UNION-based injection to extract data from other tables in the database. This would require an understanding of the database schema and SQL syntax.

SQL injection attack targeting Devolutions Server

The vulnerability related to sensitive data transmission (CVE-2025-13758) stems from the application’s failure to properly control the inclusion of sensitive data in initial metadata requests. During the retrieval of entries, the server includes passwords in the initial response rather than waiting for a specific request for sensitive data.

A technical user could verify this by intercepting network traffic using tools like Wireshark or tcpdump. By examining the response from the server when retrieving a list of entries, the user could confirm whether passwords are being transmitted in the initial response.

The email service configuration API vulnerability (CVE-2025-13765) occurs due to insufficient access control. The API returns email service passwords to users without administrative rights when multiple email services are configured.

A technical user could exploit this by sending a request to the email service configuration API and observing the response. If the user receives email service passwords despite not having administrative rights, the vulnerability is present.

Broader Cybersecurity Implications

This incident underscores several important aspects of cybersecurity:

  • Importance of timely patching: Vulnerabilities in software are inevitable, but prompt patching is crucial to mitigate the risk of exploitation. Organizations should have a system in place for monitoring security advisories and applying patches as soon as they are available.
  • Secure coding practices: Developers should follow secure coding practices to prevent vulnerabilities such as SQL injection and improper data handling. This includes input validation, output encoding, and the principle of least privilege.
  • Defense in depth: Organizations should implement a layered security approach to protect their systems and data. This includes firewalls, intrusion detection systems, access controls, and regular security audits.
  • Supply chain security: This vulnerability highlights the importance of supply chain information security. Organizations should carefully evaluate the security practices of their vendors and suppliers, and ensure that they have adequate security controls in place.
  • Need for real-time ransomware intelligence: The threat of ransomware continues to grow, making it essential for organizations to have access to real-time ransomware intelligence. This includes information about the latest ransomware strains, attack vectors, and mitigation strategies.
  • Continuous monitoring: The detection of these vulnerabilities required diligent monitoring and research. Continuous monitoring of systems and networks is essential to identify and respond to security threats in a timely manner. A cyber threat intelligence platform can provide valuable insights into emerging threats and vulnerabilities.

Practical Takeaways and Actionable Advice

For Technical Readers:

  1. Patch Immediately: Prioritize patching Devolutions Server to versions 2025.2.21 or higher, or 2025.3.9 or higher.
  2. Review Access Controls: Ensure that access controls are properly configured to limit access to sensitive data and functionality.
  3. Implement Web Application Firewall (WAF): Consider implementing a WAF to detect and prevent SQL injection attacks.
  4. Monitor Network Traffic: Monitor network traffic for suspicious activity, such as unexpected data transfers or attempts to access sensitive data.
  5. Conduct Regular Security Audits: Perform regular security audits and penetration testing to identify and address vulnerabilities. Consider leveraging underground forum intelligence to gain insights into attacker tactics and techniques.
  6. Implement Telegram Threat Monitoring: Monitor Telegram channels and other social media platforms for discussions about Devolutions Server vulnerabilities and exploits.
  7. Utilize a Live Ransomware API: Integrate a live ransomware API into your security monitoring systems to detect and respond to ransomware attacks.
  8. Enhance Brand Leak Alerting: Set up alerts to notify you of any leaks of sensitive information related to your brand or organization.

For Non-Technical Readers (Business Leaders):

  1. Ensure Patching is Prioritized: Verify that your IT team has applied the necessary patches to Devolutions Server.
  2. Review Security Policies: Ensure that your organization has comprehensive security policies in place, including policies for password management, access control, and incident response.
  3. Provide Security Awareness Training: Provide security awareness training to employees to help them identify and avoid phishing attacks and other security threats.
  4. Assess Vendor Security: Evaluate the security practices of your vendors and suppliers, and ensure that they have adequate security controls in place.
  5. Invest in Security Tools: Invest in security tools and technologies, such as intrusion detection systems, firewalls, and security information and event management (SIEM) systems.
  6. Develop an Incident Response Plan: Develop and maintain an incident response plan to ensure that your organization can effectively respond to security incidents.
  7. Consider Supply Chain Risk Monitoring: Implement supply chain risk monitoring to identify and mitigate security risks associated with your vendors and suppliers.

These vulnerabilities underscore the need for proactive security measures, including timely patching, secure coding practices, and continuous monitoring.

PurpleOps offers a range of services that can help organizations protect themselves against vulnerabilities and cyber threats, including a cyber threat intelligence platform, dark web monitoring service, and supply-chain risk monitoring. Contact PurpleOps to learn more about how we can help you improve your security posture.

FAQ

Q: What is CVE-2025-13757?
A: CVE-2025-13757 is a critical SQL injection vulnerability in Devolutions Server that allows authenticated users to exfiltrate or modify data.

Q: What versions of Devolutions Server are affected?
A: Devolutions Server versions prior to 2025.2.21 and 2025.3.9 are affected.

Q: How can I protect my organization from these vulnerabilities?
A: Patch Devolutions Server immediately, review access controls, implement a WAF, monitor network traffic, and conduct regular security audits.

Q: What is supply chain risk monitoring?
A: Supply chain risk monitoring is the process of identifying and mitigating security risks associated with your vendors and suppliers.