Devolutions reports critical SQL Injection flaw in Devolutions Server

Devolutions has issued a security advisory, addressing multiple vulnerabilities in Devolutions Server. 

Devolutions Server is a privileged access management platform used by organizations to manage passwords and sensitive credentials. 

Vulnerabilities summary

• CVE-2025-13757 (CVSS score 9.4) - SQL Injection flaw which allows authenticated users to execute malicious database queries through the DateSortField parameter in the last usage logs functionality. Successful exploitation could allow malicious actors to exfiltrate confidential records, steal passwords and access keys, or modify internal data without authorization.
• CVE-2025-13758 (CVSS score 5.1) - Credentials included in partial connection requests, where certain entry types improperly exposed passwords in initial requests rather than restricting them to the secure /sensitive-data endpoint
• CVE-2025-13765 (CVSS score 4.9) - Improper access control in the email service component, allowing non-administrative users to retrieve email service passwords when multiple email services are configured

Given that Devolutions Server functions as a central repository for an organization's most critical access credentials, exploitation of these vulnerabilities could result in widespread compromise of corporate networks and systems.

The vulnerabilities affect Devolutions Server versions 2025.2.20 and earlier, as well as versions 2025.3.8 and earlier across all deployment configurations.  Devolutions has released patched versions that address all three security flaws. 

Organizations are strongly urged to upgrade immediately to version 2025.2.21 or higher for the 2025.2 branch, or version 2025.3.9 or higher for the 2025.3 branch.