CVE-2026-3224
Published: 03 March 2026
Summary
CVE-2026-3224 is a critical-severity Improper Authentication (CWE-287) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires secure selection, configuration, and validation of identity providers like Microsoft Entra ID to prevent acceptance of forged JWTs during authentication.
Mandates timely identification, reporting, testing, and installation of fixes for flaws like the JWT authentication bypass in Devolutions Server.
Enforces validation of inputs such as JWTs to detect and reject forged or malformed tokens that enable authentication bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass via forged JWT directly enables remote exploitation of the server (T1190) to impersonate valid Entra ID cloud accounts (T1078.004) through forged web credentials (T1606).
NVD Description
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
Deeper analysisAI
CVE-2026-3224 is an authentication bypass vulnerability in the Microsoft Entra ID (Azure AD) authentication mode of Devolutions Server versions 2025.3.15.0 and earlier. It enables an unauthenticated user to authenticate as an arbitrary Entra ID user by forging a JSON Web Token (JWT). Published on 2026-03-03, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By crafting and submitting a forged JWT, the attacker can impersonate any Entra ID user, gaining unauthorized access to the Devolutions Server and potentially compromising sensitive data or performing privileged actions.
Mitigation details are available in the vendor security advisory DEVO-2026-0005 at https://devolutions.net/security/advisories/DEVO-2026-0005/.
Details
- CWE(s)