CVE-2025-2280
Published: 13 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2280 is an improper access control vulnerability affecting the web extension restriction feature in Devolutions Server versions 2024.3.4.0 and earlier. Published on 2025-03-13, the issue stems from CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
An authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Exploitation enables the attacker to bypass the browser extension restriction feature, granting unauthorized access or control that compromises confidentiality and integrity (C:H/I:H) within the unchanged security scope (S:U), though availability remains unaffected (A:N).
Mitigation details are available in the vendor security advisory DEVO-2025-0004 at https://devolutions.net/security/advisories/DEVO-2025-0004/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The improper access control vulnerability allows a low-privileged authenticated user to bypass web extension restrictions in a remotely accessible server, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190).