top of page
Search

Critical Server Flaw (CVE-2025-12485, CVSS 9.4) Allows User Impersonation through Pre-MFA Cookie Hijacking

  • Nov 10, 2025
  • 2 min read

Key Findings:


  • CVE-2025-12485 is a critical vulnerability (CVSS 9.4) in Devolutions Server that allows a low-privileged authenticated user to impersonate another account by replaying a pre-MFA cookie.

  • CVE-2025-12808 is a high-severity vulnerability (CVSS 7.1) that allows a View-only user to retrieve sensitive third-level nested fields, potentially exposing stored passwords or configuration secrets.

  • Both vulnerabilities affect multiple versions of Devolutions Server 2025 and require upgrading to the latest maintenance updates as the only effective remediation.


Background


Devolutions is a leading provider of privileged access management (PAM) and remote connection solutions. The self-hosted Devolutions Server is used by enterprises to control access to privileged accounts and business user passwords.


CVE-2025-12485: Pre-MFA Cookie Hijacking


  • This critical vulnerability (CVSS 9.4) stems from improper privilege management during pre-MFA cookie handling in Devolutions Server.

  • A low-privileged authenticated user could impersonate another account by replaying the pre-MFA cookie, allowing them to escalate privileges or pivot laterally.

  • This does not bypass the target account's multi-factor authentication (MFA) verification step.

  • Successful exploitation could lead to unauthorized access, audit log manipulation, or configuration tampering within privileged management workflows.


CVE-2025-12808: Nested Field Exposure


  • This high-severity vulnerability (CVSS 7.1) arises from improper access control in Devolutions Server's handling of nested fields.

  • A View-only user, typically restricted to non-editable access, can retrieve sensitive third-level nested fields that may contain custom values or plaintext credentials.

  • This exposure could allow unauthorized users to harvest stored passwords or configuration secrets from the server's database, undermining internal segregation-of-duty models.


Remediation


  • Upgrade to Devolutions Server 2025.3.6.0 or higher

  • Upgrade to Devolutions Server 2025.2.17.0 or higher

  • Devolutions emphasized that upgrading to these versions is the only effective remediation, as no configuration workaround is available.


Sources


  • https://securityonline.info/critical-devolutions-server-flaw-cve-2025-12485-cvss-9-4-allows-user-impersonation-via-pre-mfa-cookie-hijacking/

  • https://securityonline.info/critical-ge-vernova-ics-flaw-cve-2025-3222-cvss-9-3-allows-authentication-bypass-in-smallworld-master-file-server/

  • https://securityonline.info/critical-calibre-flaw-cve-2025-64486-cvss-9-3-allows-rce-via-malicious-fb2-e-book/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page