Skip to main content

Remote Desktop Manager CVE-2026-12162

| EUVDEUVD-2026-37024 MEDIUM
Improper Validation of Certificate with Host Mismatch (CWE-297)
2026-06-15 DEVOLUTIONS GHSA-xwf9-wf96-c767
5.5
CVSS 3.1 · Vendor: DEVOLUTIONS
Share

Severity by source

Vendor (DEVOLUTIONS) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
vuln.today AI
5.7 MEDIUM

Credential disclosure warrants C:H; description confirms no integrity or availability impact; PR:L for entry-creation access; UI:R for required victim interaction.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (DEVOLUTIONS).

CVSS VectorVendor: DEVOLUTIONS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 13:27 vuln.today
CVSS changed
Jun 16, 2026 - 13:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 15, 2026 - 23:56 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.

AnalysisAI

Credential disclosure in Devolutions Remote Desktop Manager versions 2026.2.0 through 2026.2.8 allows a low-privileged attacker to capture stored social login credentials by creating a crafted web entry targeting a provider lookalike domain. The social login autofill feature fails to properly validate the target host against the legitimate OAuth or social identity provider domain, causing stored credentials to be submitted to an attacker-controlled site when the victim user opens the malicious entry. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Technical ContextAI

CWE-297 (Improper Validation of Certificate with Host Mismatch) describes failures in host identity verification during domain or certificate checks at the application layer. In Devolutions Remote Desktop Manager - a privileged access management and remote desktop platform - the social login autofill feature is designed to detect the active web entry's target URL and automatically populate stored OAuth or social login credentials. The flaw lies in insufficient hostname validation: the feature does not enforce strict matching against a whitelist of legitimate provider domains, allowing homograph, typosquat, or lookalike domains (e.g., a domain resembling 'accounts.google.com') to pass validation and receive autofilled credentials. The affected product is identified by CPE cpe:2.3:a:devolutions:remote_desktop_manager in all builds from 2026.2.0 through 2026.2.8, as confirmed by ENISA EUVD-2026-37024.

RemediationAI

Upgrade Devolutions Remote Desktop Manager to a version beyond 2026.2.8 as directed by the vendor security advisory DEVO-2026-0018 at https://devolutions.net/security/advisories/DEVO-2026-0018/. The exact patched release version is not independently confirmed from the available input data and must be verified directly against that advisory before deployment. As an interim compensating control, administrators should restrict or audit which users are permitted to create or import web entries in shared RDM environments, since the attack requires an adversary to plant a crafted entry. Users should avoid opening web entries sourced from untrusted parties and should audit existing web entries configured with external social or OAuth provider URLs for suspicious domain names. Disabling the social login autofill feature entirely eliminates the attack surface at the cost of losing that productivity feature; this trade-off may be acceptable in high-security deployments pending a patch.

CVE-2024-6057 CRITICAL
9.8 Jun 17

Improper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allo

CVE-2023-6593 CRITICAL
9.8 Dec 12

Client side permission bypass in Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows an attacker tha

CVE-2023-5766 CRITICAL
9.8 Nov 01

A remote code execution vulnerability in Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to r

CVE-2023-5765 CRITICAL
9.8 Nov 01

Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and earlier on

CVE-2023-4373 CRITICAL
9.8 Aug 21

Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop Manager ve

CVE-2024-11621 HIGH
8.8 Feb 10

Missing certificate validation in Devolutions Remote Desktop Manager on macOS, iOS, Android, Linux allows an attacker to

CVE-2026-12161 HIGH
8.8 Jun 15

OS command injection in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager up to 2026.2.7 lets an authe

CVE-2022-4287 HIGH
8.8 Dec 21

Authentication bypass in local application lock feature in Devolutions Remote Desktop Manager 2022.3.26 and earlier on W

CVE-2022-3641 HIGH
8.8 Dec 12

Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows

CVE-2021-42098 HIGH
8.8 Oct 18

An incomplete permission check on entries in Devolutions Remote Desktop Manager before 2021.2.16 allows attackers to byp

CVE-2025-1193 HIGH
8.1 Feb 10

Improper host validation in the certificate validation component in Devolutions Remote Desktop Manager on 2024.3.19 and

CVE-2024-12149 HIGH
8.1 Dec 04

Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0

Share

CVE-2026-12162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy