CVE-2025-12485
BaseFortify
Publication date: 2025-11-06
Last updated on: 2025-11-10
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | From 2022.3.1.0 (inc) to 2022.3.10.0 (inc) |
| devolutions | devolutions_server | From 2022.3.1.0 (inc) to 2022.3.10.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves improper privilege management during the handling of pre-MFA cookies in Devolutions Server 2025.3.5.0 and earlier. A low-privileged authenticated user can impersonate another account by replaying the pre-MFA cookie, although the target account's MFA verification step is not bypassed.
How can this vulnerability impact me? :
The vulnerability allows a low-privileged authenticated user to impersonate another account by replaying a pre-MFA cookie, potentially leading to unauthorized access or actions under the impersonated account. However, the target account's MFA verification is still required, which limits the impact.