Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Requires authenticated RDM user with shared-entry edit rights (PR:L) and a second user clicking Elevate Shell (UI:R); injection is straightforward over the network with full C/I/A impact on the target host.
Primary rating from Vendor (DEVOLUTIONS).
CVSS VectorVendor: DEVOLUTIONS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alternate username and user interaction with the Elevate Shell action.
AnalysisAI
OS command injection in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager up to 2026.2.7 lets an authenticated user who can create or modify a shared SSH entry execute arbitrary commands on remote SSH hosts by smuggling shell metacharacters through a crafted alternate username, abusing stored elevation credentials they would not otherwise possess. No public exploit identified at time of analysis and EPSS is low (0.16%, 5th percentile), but the privilege-escalation angle - turning shared-entry write access into code execution under another user's sudo/elevation context - makes this attractive for insider or post-compromise abuse.
Technical ContextAI
Remote Desktop Manager is a connection-management workstation tool that brokers SSH/RDP/SQL sessions and centrally stores credentials, including separate "elevation" credentials used by the Elevate Shell feature to run privileged commands (e.g., sudo) once the SSH session is established. The flaw is CWE-78 (OS Command Injection): the alternate-username field consumed by the Elevate Shell action is concatenated into a shell command without sufficient validation or quoting, so shell metacharacters in that field are interpreted by the remote shell. Because the elevation password is read from the shared vault and supplied automatically when the user triggers Elevate Shell, an attacker who controls the entry definition can execute commands under privileges they were never granted directly. The affected CPE is cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:*:*:*:* through 2026.2.7.
RemediationAI
Upgrade Remote Desktop Manager to the fixed release referenced in Devolutions advisory DEVO-2026-0018 (https://devolutions.net/security/advisories/DEVO-2026-0018/); the input data does not include an exact fixed build number, so consult the advisory for the precise version above 2026.2.7. Until patched, restrict who can create or modify shared SSH entries by tightening data-source role permissions so only fully trusted administrators can edit shared entries that carry elevation credentials (trade-off: extra approval friction for legitimate entry maintainers). Additionally, avoid using Elevate Shell with stored credentials on shared SSH entries you did not author, and audit existing entries for unexpected values in the alternate-username field; defenders should also enable SSH server-side command auditing on hosts that accept Elevate Shell sessions so any injected commands are at least logged.
More in Remote Desktop Manager
View allImproper authentication in the vault password feature in Devolutions Remote Desktop Manager 2024.1.31.0 and earlier allo
Client side permission bypass in Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows an attacker tha
A remote code execution vulnerability in Remote Desktop Manager 2023.2.33 and earlier on Windows allows an attacker to r
Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and earlier on
Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop Manager ve
Missing certificate validation in Devolutions Remote Desktop Manager on macOS, iOS, Android, Linux allows an attacker to
Authentication bypass in local application lock feature in Devolutions Remote Desktop Manager 2022.3.26 and earlier on W
Elevation of privilege in the Azure SQL Data Source in Devolutions Remote Desktop Manager 2022.3.13 to 2022.3.24 allows
An incomplete permission check on entries in Devolutions Remote Desktop Manager before 2021.2.16 allows attackers to byp
Improper host validation in the certificate validation component in Devolutions Remote Desktop Manager on 2024.3.19 and
Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0
Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on macOS allows an attacker to execute code via the DYLI
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37023
GHSA-w469-xxf5-q946