top of page
Search

Critical Server Flaw (CVE-2025-12485, CVSS 9.4) Allows User Impersonation through Pre-MFA Cookie Hijacking

  • Nov 10, 2025
  • 2 min read

Key Findings:


  • CVE-2025-12485 is a critical vulnerability (CVSS 9.4) in Devolutions Server that allows a low-privileged authenticated user to impersonate another account by replaying a pre-MFA cookie.

  • CVE-2025-12808 is a high-severity vulnerability (CVSS 7.1) that allows a View-only user to retrieve sensitive third-level nested fields, potentially exposing stored passwords or configuration secrets.

  • Both vulnerabilities affect multiple versions of Devolutions Server 2025 and require upgrading to the latest maintenance updates as the only effective remediation.


Background


Devolutions is a leading provider of privileged access management (PAM) and remote connection solutions. The self-hosted Devolutions Server is used by enterprises to control access to privileged accounts and business user passwords.


CVE-2025-12485: Pre-MFA Cookie Hijacking


  • This critical vulnerability (CVSS 9.4) stems from improper privilege management during pre-MFA cookie handling in Devolutions Server.

  • A low-privileged authenticated user could impersonate another account by replaying the pre-MFA cookie, allowing them to escalate privileges or pivot laterally.

  • This does not bypass the target account's multi-factor authentication (MFA) verification step.

  • Successful exploitation could lead to unauthorized access, audit log manipulation, or configuration tampering within privileged management workflows.


CVE-2025-12808: Nested Field Exposure


  • This high-severity vulnerability (CVSS 7.1) arises from improper access control in Devolutions Server's handling of nested fields.

  • A View-only user, typically restricted to non-editable access, can retrieve sensitive third-level nested fields that may contain custom values or plaintext credentials.

  • This exposure could allow unauthorized users to harvest stored passwords or configuration secrets from the server's database, undermining internal segregation-of-duty models.


Remediation


  • Upgrade to Devolutions Server 2025.3.6.0 or higher

  • Upgrade to Devolutions Server 2025.2.17.0 or higher

  • Devolutions emphasized that upgrading to these versions is the only effective remediation, as no configuration workaround is available.


Sources


  • https://securityonline.info/critical-devolutions-server-flaw-cve-2025-12485-cvss-9-4-allows-user-impersonation-via-pre-mfa-cookie-hijacking/

  • https://securityonline.info/critical-ge-vernova-ics-flaw-cve-2025-3222-cvss-9-3-allows-authentication-bypass-in-smallworld-master-file-server/

  • https://securityonline.info/critical-calibre-flaw-cve-2025-64486-cvss-9-3-allows-rce-via-malicious-fb2-e-book/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page