CVE-2026-12755
Received Received - Intake
Improper Input Validation in Devolutions Server Allows NTLMv2 Credential Exposure

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Devolutions Inc.

Description
Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-12755
EUVD
EUVD-2026-39386
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devolutions server From 2026.2.4.0 (inc) to 2026.2.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is caused by improper input validation in the PAM AD discovery endpoints of Devolutions Server versions 2026.2.4.0 through 2026.2.7.0.

An authenticated user who has the UserGroupsView permission can exploit this flaw by supplying a crafted DomainName parameter.

This allows the attacker to coerce server-side authentication to an attacker-controlled host, which results in exposing PAM provider credentials as an NTLMv2 challenge-response.

Impact Analysis

The vulnerability can lead to the exposure of PAM provider credentials through an NTLMv2 challenge-response.

An attacker with UserGroupsView permission can redirect authentication attempts to a host they control, potentially allowing them to capture sensitive authentication data.

This could lead to unauthorized access or further attacks leveraging the exposed credentials.

Compliance Impact

The vulnerability exposes PAM provider credentials as an NTLMv2 challenge-response to an attacker-controlled host, which could lead to unauthorized access or credential compromise.

Such exposure of sensitive authentication credentials may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and user authentication information.

Organizations using affected versions of Devolutions Server should remediate by upgrading to version 2026.2.9.0 or higher to reduce the risk of non-compliance due to this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Devolutions Server to version 2026.2.9.0 or higher.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart