Cyber Resilience

CVE-2026-3224

Critical

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-3224 is a critical-severity Improper Authentication (CWE-287) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3224 is an authentication bypass vulnerability in the Microsoft Entra ID (Azure AD) authentication mode of Devolutions Server versions 2025.3.15.0 and earlier. It enables an unauthenticated user to authenticate as an arbitrary Entra ID user by forging a JSON Web Token (JWT). Published on 2026-03-03, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting and submitting a forged JWT, the attacker can impersonate any Entra ID user, gaining unauthorized access to the Devolutions Server and potentially compromising sensitive data or performing privileged actions.

Mitigation details are available in the vendor security advisory DEVO-2026-0005 at https://devolutions.net/security/advisories/DEVO-2026-0005/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Authentication bypass via forged JWT directly enables remote exploitation of the server (T1190) to impersonate valid Entra ID cloud accounts (T1078.004) through forged web credentials (T1606).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0610Same product: Devolutions Devolutions Server
CVE-2026-3204Same product: Devolutions Devolutions Server
CVE-2026-4828Same product: Devolutions Devolutions Server
CVE-2026-1007Same product: Devolutions Devolutions Server
CVE-2025-2280Same product: Devolutions Devolutions Server
CVE-2026-4924Same product: Devolutions Devolutions Server
CVE-2025-2277Same product: Devolutions Devolutions Server
CVE-2025-2003Same product: Devolutions Devolutions Server
CVE-2026-3130Same product: Devolutions Devolutions Server
CVE-2026-4434Same product: Devolutions Devolutions Server

Affected Assets

devolutions
devolutions server
≤ 2025.3.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires secure selection, configuration, and validation of identity providers like Microsoft Entra ID to prevent acceptance of forged JWTs during authentication.

prevent

Mandates timely identification, reporting, testing, and installation of fixes for flaws like the JWT authentication bypass in Devolutions Server.

prevent

Enforces validation of inputs such as JWTs to detect and reject forged or malformed tokens that enable authentication bypass.

References