CVE-2026-9047
Published: 22 May 2026
Summary
CVE-2026-9047 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Multi-Factor Authentication (T1556.006); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31450
Vulnerability details
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects :…
more
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct MFA bypass via improper factor key state handling after password knowledge.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.