Cyber Posture

CVE-2026-3204

Critical

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3204 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of information inputs, directly preventing exploitation via specially crafted URLs lacking proper validation in the error message page.

SI-11 Error Handling good match
prevent

SI-11 requires error handling that avoids generating harmful or discernible error messages, blocking the spoofing of displayed content from invalid inputs.

SI-15 Information Output Filtering good match
prevent

SI-15 enforces output filtering to protect against malicious content insertion or exploitation in displayed error pages.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remotely exploitable flaw (CWE-20) in a public-facing Devolutions Server web application that allows unauthenticated attackers to manipulate error-page content via crafted URLs, directly matching the definition of T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.

Deeper analysisAI

CVE-2026-3204, published on 2026-03-03, involves improper input validation (CWE-20) in the error message page of Devolutions Server versions 2025.3.16 and earlier. This flaw allows remote attackers to spoof the displayed error message through a specially crafted URL. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high potential impact on confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability over the network with low attack complexity, without needing privileges or user interaction. Exploitation involves sending a malicious URL that manipulates the error page, enabling the attacker to control the spoofed message content and potentially deceive users or systems.

Mitigation guidance is available in the vendor's security advisory DEVO-2026-0005 at https://devolutions.net/security/advisories/DEVO-2026-0005.

Details

CWE(s)
CWE-20

Affected Products

devolutions
devolutions server
≤ 2025.3.16.0

CVEs Like This One

CVE-2026-1007Same product: Devolutions Devolutions Server
CVE-2026-4828Same product: Devolutions Devolutions Server
CVE-2026-0610Same product: Devolutions Devolutions Server
CVE-2026-4924Same product: Devolutions Devolutions Server
CVE-2025-2280Same product: Devolutions Devolutions Server
CVE-2026-3224Same product: Devolutions Devolutions Server
CVE-2025-2277Same product: Devolutions Devolutions Server
CVE-2026-4434Same product: Devolutions Devolutions Server
CVE-2025-2003Same product: Devolutions Devolutions Server
CVE-2026-3130Same product: Devolutions Devolutions Server

References