CVE-2025-11957 CRITICAL

CVE-2025-11957

Vendor Devolutions
Product Server
Weakness CWE-639 · IDOR
Published October 22, 2025
Last update November 25, 2025

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.

Key dates

02Disclosure timeline

October 22, 2025 CVE published
November 25, 2025 Record updated