CVE-2026-9249
Analyzed
Analyzed - Analysis Complete
BaseFortify
Publication date: 2026-05-22
Last updated on: 2026-05-22
Assigner: Devolutions Inc.
Description
Description
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
* Devolutions Server 2025.3.20.0 and earlier
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | to 2025.3.22.0 (exc) |
| devolutions | devolutions_server | From 2026.1.6.0 (inc) to 2026.1.19.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70