CVE-2025-2280
Published: 13 March 2025
Summary
CVE-2025-2280 is a high-severity Improper Access Control (CWE-284) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the improper access control that allowed bypassing the browser extension restriction feature.
AC-6 enforces least privilege for users and accounts, limiting the potential impact of low-privilege authenticated users exploiting the access control bypass.
SI-2 requires identification, reporting, and timely correction of system flaws, directly mitigating this improper access control vulnerability through patching as advised by the vendor.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control vulnerability allows a low-privileged authenticated user to bypass web extension restrictions in a remotely accessible server, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190).
NVD Description
Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature.
Deeper analysisAI
CVE-2025-2280 is an improper access control vulnerability affecting the web extension restriction feature in Devolutions Server versions 2024.3.4.0 and earlier. Published on 2025-03-13, the issue stems from CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
An authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Exploitation enables the attacker to bypass the browser extension restriction feature, granting unauthorized access or control that compromises confidentiality and integrity (C:H/I:H) within the unchanged security scope (S:U), though availability remains unaffected (A:N).
Mitigation details are available in the vendor security advisory DEVO-2025-0004 at https://devolutions.net/security/advisories/DEVO-2025-0004/.
Details
- CWE(s)