Cyber Resilience

CVE-2026-7325

High

Published: 22 May 2026

Published
22 May 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0022 12.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7325 is a high-severity SSRF (CWE-918) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Name Resolution Poisoning and SMB Relay (T1557.001); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : *…

more

Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557.001 Name Resolution Poisoning and SMB Relay Credential Access
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
Why these techniques?

SSRF enables forced auth relay of service account credentials to attacker server.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

devolutions
devolutions server
≤ 2025.3.22.0 · 2026.1.6.0 — 2026.1.19.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References