Cyber Posture

CVE-2026-0610

Critical

Published: 19 January 2026

Published
19 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0610 is a critical-severity SQL Injection (CWE-89) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection in the remote-sessions component by validating and sanitizing unauthenticated network inputs before they reach SQL queries.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching of the specific SQL injection vulnerability in Devolutions Server versions 2025.3.1 through 2025.3.12.

SC-7 Boundary Protection partial match
preventdetect

Mitigates unauthenticated network exploitation of the SQL injection by monitoring and controlling communications at boundaries, such as via web application firewalls blocking injection payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated network SQL injection in public-facing Devolutions Server component directly enables remote exploitation of a server application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

Deeper analysisAI

CVE-2026-0610 is a SQL injection vulnerability (CWE-89) present in the remote-sessions component of Devolutions Server. This issue affects versions 2025.3.1 through 2025.3.12 of the software. Published on 2026-01-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

The vulnerability can be exploited by an unauthenticated attacker over the network with low attack complexity and no user interaction required. Exploitation grants high impacts across confidentiality, integrity, and availability, enabling the attacker to potentially execute arbitrary SQL commands, extract sensitive data, modify database contents, or disrupt service operations on the affected Devolutions Server instance.

Devolutions has issued security advisory DEVO-2026-0003, available at https://devolutions.net/security/advisories/DEVO-2026-0003/, which provides further details on the vulnerability and recommended mitigation steps.

Details

CWE(s)
CWE-89

Affected Products

devolutions
devolutions server
2025.3.1.0 — 2025.3.14.0

CVEs Like This One

CVE-2026-1007Same product: Devolutions Devolutions Server
CVE-2026-4828Same product: Devolutions Devolutions Server
CVE-2026-3204Same product: Devolutions Devolutions Server
CVE-2026-4924Same product: Devolutions Devolutions Server
CVE-2025-2280Same product: Devolutions Devolutions Server
CVE-2026-3224Same product: Devolutions Devolutions Server
CVE-2025-2277Same product: Devolutions Devolutions Server
CVE-2026-4434Same product: Devolutions Devolutions Server
CVE-2026-3130Same product: Devolutions Devolutions Server
CVE-2025-2003Same product: Devolutions Devolutions Server

References