CVE-2025-2600

Improper authorization in the variable component in Devolutions Remote Desktop Manager on Windows allows an authenticated password to use the ELEVATED_PASSWORD variable even though not allowed by the "Allow password in variable policy". This issue affects Remote Desktop Manager versions from 2025.1.24 through 2025.1.25, and all versions up to 2024.3.29.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:free:windows:*:*
cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:team:windows:*:*
cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:free:windows:*:*
cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:team:windows:*:*

History

02 Jul 2025, 17:32

Type Values Removed Values Added
CPE cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:team:windows:*:*
cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:free:windows:*:*
First Time Devolutions
Devolutions remote Desktop Manager
References () https://devolutions.net/security/advisories/DEVO-2025-0005/ - () https://devolutions.net/security/advisories/DEVO-2025-0005/ - Vendor Advisory

01 Apr 2025, 15:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.8

27 Mar 2025, 16:45

Type Values Removed Values Added
Summary
  • (es) Una autorización incorrecta en el componente variable de Devolutions Remote Desktop Manager en Windows permite que una contraseña autenticada use la variable ELEVATED_PASSWORD, aunque la política "Permitir contraseña en variable" no lo permita. Este problema afecta a las versiones de Remote Desktop Manager desde la 2025.1.24 hasta la 2025.1.25, y a todas las versiones hasta la 2024.3.29.

26 Mar 2025, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-03-26 18:15

Updated : 2025-07-02 17:32


NVD link : CVE-2025-2600

Mitre link : CVE-2025-2600

CVE.ORG link : CVE-2025-2600


JSON object : View

Products Affected

devolutions

  • remote_desktop_manager
CWE
CWE-285

Improper Authorization