CVE-2026-4434
Published: 20 March 2026
Summary
CVE-2026-4434 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-17 (Public Key Infrastructure Certificates).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates proper public key infrastructure certificate management and validation to directly prevent MITM attacks from improper or disabled TLS certificate verification in WinRM connections.
Enforces and monitors configuration settings to ensure TLS certificate verification is enabled during PAM propagation WinRM connections, addressing the disabled verification vulnerability.
Requires protection of transmission confidentiality and integrity, which necessitates proper TLS implementation including certificate validation to block MITM exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper certificate validation (disabled TLS verification) on WinRM connections directly enables network-positioned attackers to perform MITM interception and manipulation of the sessions, matching the Adversary-in-the-Middle technique.
NVD Description
Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.
Deeper analysisAI
CVE-2026-4434 is an improper certificate validation vulnerability (CWE-295) in PAM propagation WinRM connections, where disabled TLS certificate verification enables a network attacker to perform a man-in-the-middle (MITM) attack. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
A network-based attacker can exploit this vulnerability with high attack complexity but without requiring privileges or user interaction. Successful exploitation allows the attacker to intercept and manipulate WinRM connections during PAM propagation, potentially compromising sensitive data in transit, altering commands or responses, and disrupting service availability.
Mitigation details are provided in the Devolutions security advisory DEVO-2026-0005 at https://devolutions.net/security/advisories/DEVO-2026-0005/. Security practitioners should consult this reference for patching instructions and workarounds specific to affected Devolutions products.
Details
- CWE(s)