CVE-2026-4396

High

Published: 18 March 2026

Published

18 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4396 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Devolutions Hub Reporting Service. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-17 (Public Key Infrastructure Certificates).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-17 Public Key Infrastructure Certificates good match

prevent

SC-17 requires establishment and maintenance of PKI certificate validation processes, directly mitigating the disabled TLS certificate verification that enables MITM attacks in this CVE.

CM-6 Configuration Settings good match

prevent

CM-6 mandates secure configuration settings for components like the Devolutions Hub Reporting Service, ensuring TLS certificate verification is enabled to prevent exploitation.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws such as CVE-2026-4396 through vendor-provided patches in DEVO-2026-0009.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Disabled TLS certificate verification directly enables undetected Adversary-in-the-Middle positioning and traffic interception/manipulation on application-layer connections.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper certificate validation in Devolutions Hub Reporting Service 2025.3.1.1 and earlier allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.

Deeper analysisAI

CVE-2026-4396 is an improper certificate validation vulnerability in Devolutions Hub Reporting Service versions 2025.3.1.1 and earlier. The issue arises from disabled TLS certificate verification, enabling a network attacker to perform a man-in-the-middle (MITM) attack, and is classified under CWE-295 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A network-based attacker requires no privileges or user interaction to exploit this vulnerability, though high attack complexity is needed. Successful exploitation allows the attacker to intercept and manipulate communications, resulting in high impacts to confidentiality, integrity, and availability.

The Devolutions security advisory DEVO-2026-0009 at https://devolutions.net/security/advisories/DEVO-2026-0009/ provides details on mitigation and patching guidance.