Cyber Resilience

CVE-2026-4924

High

Published: 01 April 2026

Published
01 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0033 24.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4924 is a high-severity Weak Authentication (CWE-1390) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-4924 is an improper authentication vulnerability (CWE-1390) in the two-factor authentication (2FA) feature of Devolutions Server versions 2026.1.11 and earlier. The flaw enables a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to a victim account by reusing a partially authenticated session token. It has a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating high severity with network accessibility, high attack complexity, low privileges required, no user interaction, changed scope, and high impacts to confidentiality and integrity.

A remote attacker who already possesses valid primary credentials (such as a username and password) for a target account can exploit this vulnerability. By initiating the 2FA authentication flow, the attacker obtains a partially authenticated session token and reuses it to skip the second factor verification, achieving full unauthorized access to the account without further authentication steps.

Mitigation details are available in the vendor security advisory DEVO-2026-0010 at https://devolutions.net/security/advisories/DEVO-2026-0010.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session…

more

token.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability in public-facing Devolutions Server allows remote attackers with valid primary credentials to bypass 2FA via session token reuse, directly enabling exploitation of public-facing applications for initial access and abuse of valid accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4828Same product: Devolutions Devolutions Server
CVE-2026-3204Same product: Devolutions Devolutions Server
CVE-2026-1007Same product: Devolutions Devolutions Server
CVE-2026-0610Same product: Devolutions Devolutions Server
CVE-2025-2280Same product: Devolutions Devolutions Server
CVE-2026-3224Same product: Devolutions Devolutions Server
CVE-2025-2277Same product: Devolutions Devolutions Server
CVE-2025-2003Same product: Devolutions Devolutions Server
CVE-2026-3130Same product: Devolutions Devolutions Server
CVE-2026-4434Same product: Devolutions Devolutions Server

Affected Assets

devolutions
devolutions server
≤ 2025.3.18.0 · 2026.1.1.0 — 2026.1.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly manages authenticators including partially authenticated session tokens to prevent their reuse and unauthorized bypass of 2FA.

prevent

Requires re-authentication and invalidation of session identifiers to ensure full multifactor authentication completion and prevent partial token exploitation.

prevent

Mandates robust organizational user identification and authentication mechanisms, including multifactor, to comprehensively mitigate improper 2FA implementation flaws.

References