CVE-2024-11621
Published: 10 February 2025
Description
Missing certificate validation in Devolutions Remote Desktop Manager on macOS, iOS, Android, Linux allows an attacker to intercept and modify encrypted communications via a man-in-the-middle attack. Versions affected are : Remote Desktop Manager macOS 2024.3.9.0 and earlier Remote Desktop Manager Linux 2024.3.2.5 and earlier Remote Desktop Manager Android 2024.3.3.7 and earlier Remote Desktop Manager iOS 2024.3.3.0 and earlier Remote Desktop Manager Powershell 2024.3.6.0 and earlier
Security Summary
CVE-2024-11621 is a missing certificate validation vulnerability (CWE-295) in Devolutions Remote Desktop Manager, affecting the macOS version 2024.3.9.0 and earlier, Linux version 2024.3.2.5 and earlier, Android version 2024.3.3.7 and earlier, iOS version 2024.3.3.0 and earlier, and PowerShell version 2024.3.6.0 and earlier. Published on 2025-02-10, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H). The issue enables attackers to intercept and modify encrypted communications via man-in-the-middle attacks due to improper certificate checks.
A remote, unauthenticated attacker can exploit this vulnerability by positioning themselves between the victim and the target server, such as through a malicious network or by tricking the user into connecting via a controlled proxy. User interaction is required, typically for the victim to initiate or accept a connection in the affected Remote Desktop Manager client. Successful exploitation allows the attacker to read sensitive data in transit and alter communications, resulting in high impacts to confidentiality, integrity, and availability.
Devolutions has published security advisory DEVO-2025-0001 at https://devolutions.net/security/advisories/DEVO-2025-0001/, which provides details on mitigation and patching instructions for affected versions.
Details
- CWE(s)