Cyber Resilience

CVE-2026-0610

Critical

Published: 19 January 2026

Published
19 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 17.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0610 is a critical-severity SQL Injection (CWE-89) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0610 is a SQL injection vulnerability (CWE-89) present in the remote-sessions component of Devolutions Server. This issue affects versions 2025.3.1 through 2025.3.12 of the software. Published on 2026-01-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

The vulnerability can be exploited by an unauthenticated attacker over the network with low attack complexity and no user interaction required. Exploitation grants high impacts across confidentiality, integrity, and availability, enabling the attacker to potentially execute arbitrary SQL commands, extract sensitive data, modify database contents, or disrupt service operations on the affected Devolutions Server instance.

Devolutions has issued security advisory DEVO-2026-0003, available at https://devolutions.net/security/advisories/DEVO-2026-0003/, which provides further details on the vulnerability and recommended mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated network SQL injection in public-facing Devolutions Server component directly enables remote exploitation of a server application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4828Same product: Devolutions Devolutions Server
CVE-2026-3204Same product: Devolutions Devolutions Server
CVE-2026-1007Same product: Devolutions Devolutions Server
CVE-2026-4924Same product: Devolutions Devolutions Server
CVE-2025-2280Same product: Devolutions Devolutions Server
CVE-2026-3224Same product: Devolutions Devolutions Server
CVE-2025-2277Same product: Devolutions Devolutions Server
CVE-2025-2003Same product: Devolutions Devolutions Server
CVE-2026-4434Same product: Devolutions Devolutions Server
CVE-2026-3130Same product: Devolutions Devolutions Server

Affected Assets

devolutions
devolutions server
2025.3.1.0 — 2025.3.14.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection in the remote-sessions component by validating and sanitizing unauthenticated network inputs before they reach SQL queries.

prevent

Requires timely flaw remediation through patching of the specific SQL injection vulnerability in Devolutions Server versions 2025.3.1 through 2025.3.12.

preventdetect

Mitigates unauthenticated network exploitation of the SQL injection by monitoring and controlling communications at boundaries, such as via web application firewalls blocking injection payloads.

References