CVE-2026-4924
Published: 01 April 2026
Summary
CVE-2026-4924 is a high-severity Weak Authentication (CWE-1390) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly manages authenticators including partially authenticated session tokens to prevent their reuse and unauthorized bypass of 2FA.
Requires re-authentication and invalidation of session identifiers to ensure full multifactor authentication completion and prevent partial token exploitation.
Mandates robust organizational user identification and authentication mechanisms, including multifactor, to comprehensively mitigate improper 2FA implementation flaws.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Devolutions Server allows remote attackers with valid primary credentials to bypass 2FA via session token reuse, directly enabling exploitation of public-facing applications for initial access and abuse of valid accounts.
NVD Description
Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session…
more
token.
Deeper analysisAI
CVE-2026-4924 is an improper authentication vulnerability (CWE-1390) in the two-factor authentication (2FA) feature of Devolutions Server versions 2026.1.11 and earlier. The flaw enables a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to a victim account by reusing a partially authenticated session token. It has a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating high severity with network accessibility, high attack complexity, low privileges required, no user interaction, changed scope, and high impacts to confidentiality and integrity.
A remote attacker who already possesses valid primary credentials (such as a username and password) for a target account can exploit this vulnerability. By initiating the 2FA authentication flow, the attacker obtains a partially authenticated session token and reuses it to skip the second factor verification, achieving full unauthorized access to the account without further authentication steps.
Mitigation details are available in the vendor security advisory DEVO-2026-0010 at https://devolutions.net/security/advisories/DEVO-2026-0010.
Details
- CWE(s)