Cyber Resilience

CVE-2026-4434

High

Published: 20 March 2026

Published
20 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 4.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4434 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2026-4434 is an improper certificate validation vulnerability (CWE-295) in PAM propagation WinRM connections, where disabled TLS certificate verification enables a network attacker to perform a man-in-the-middle (MITM) attack. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

A network-based attacker can exploit this vulnerability with high attack complexity but without requiring privileges or user interaction. Successful exploitation allows the attacker to intercept and manipulate WinRM connections during PAM propagation, potentially compromising sensitive data in transit, altering commands or responses, and disrupting service availability.

Mitigation details are provided in the Devolutions security advisory DEVO-2026-0005 at https://devolutions.net/security/advisories/DEVO-2026-0005/. Security practitioners should consult this reference for patching instructions and workarounds specific to affected Devolutions products.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack via disabled TLS certificate verification.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Improper certificate validation (disabled TLS verification) on WinRM connections directly enables network-positioned attackers to perform MITM interception and manipulation of the sessions, matching the Adversary-in-the-Middle technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-11621Same vendor: Devolutions
CVE-2026-4396Same vendor: Devolutions
CVE-2026-3204Same product: Devolutions Devolutions Server
CVE-2026-4924Same product: Devolutions Devolutions Server
CVE-2025-1193Same vendor: Devolutions
CVE-2026-4828Same product: Devolutions Devolutions Server
CVE-2026-3130Same product: Devolutions Devolutions Server
CVE-2026-0610Same product: Devolutions Devolutions Server
CVE-2026-3224Same product: Devolutions Devolutions Server
CVE-2025-2280Same product: Devolutions Devolutions Server

Affected Assets

devolutions
devolutions server
≤ 2026.1.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates proper public key infrastructure certificate management and validation to directly prevent MITM attacks from improper or disabled TLS certificate verification in WinRM connections.

prevent

Enforces and monitors configuration settings to ensure TLS certificate verification is enabled during PAM propagation WinRM connections, addressing the disabled verification vulnerability.

prevent

Requires protection of transmission confidentiality and integrity, which necessitates proper TLS implementation including certificate validation to block MITM exploitation.

References