CVE-2025-2280
Published: 13 March 2025
Summary
CVE-2025-2280 is a high-severity Improper Access Control (CWE-284) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2280 is an improper access control vulnerability affecting the web extension restriction feature in Devolutions Server versions 2024.3.4.0 and earlier. Published on 2025-03-13, the issue stems from CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
An authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Exploitation enables the attacker to bypass the browser extension restriction feature, granting unauthorized access or control that compromises confidentiality and integrity (C:H/I:H) within the unchanged security scope (S:U), though availability remains unaffected (A:N).
Mitigation details are available in the vendor security advisory DEVO-2025-0004 at https://devolutions.net/security/advisories/DEVO-2025-0004/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6280
Vulnerability details
Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to bypass the browser extension restriction feature.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control vulnerability allows a low-privileged authenticated user to bypass web extension restrictions in a remotely accessible server, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the improper access control that allowed bypassing the browser extension restriction feature.
AC-6 enforces least privilege for users and accounts, limiting the potential impact of low-privilege authenticated users exploiting the access control bypass.
SI-2 requires identification, reporting, and timely correction of system flaws, directly mitigating this improper access control vulnerability through patching as advised by the vendor.