CVE-2026-3224

CRITICAL

Devolutions Server <2025.3.15.0 - Auth Bypass

Title source: llm

Description

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

Exploits (1)

nomisec SUSPICIOUS

by HiZisec · poc

https://github.com/HiZisec/CVE-2026-3224-Exploit

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://devolutions.net/security/advisories/DEVO-2026-0005/

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (1)

devolutions/devolutions_server < 2025.3.16.0

Published Mar 03, 2026

Tracked Since Mar 04, 2026