CVE-2025-8353: Devolutions Server JIT Access UI Synchronization Issue
A vulnerability has been identified in Devolutions Server that could allow unauthorized access to deleted Just-in-Time (JIT) Groups. This flaw stems from a UI synchronization issue within the JIT access request approval interface.
Vulnerability Details
- CVE ID: CVE-2025-8353
- Description: A UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing.
- CVSS Score: 5.9 (Medium)
- CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
- CVSS Vector Explanation: This score indicates a vulnerability that is accessible over the network (AV:N) but requires high attack complexity (AC:H). An attacker needs low privileges (PR:L) and no user interaction (UI:N). It affects confidentiality (C:L) and integrity (I:H), but not availability (A:N). This means that while the attacker can potentially read some sensitive information, they can primarily modify data, but cannot disrupt the system's operation.
- Exploit Requirements: An attacker needs to be authenticated and have network access to the Devolutions Server. The attacker also needs to exploit the race condition related to UI synchronization while the JIT group is being deleted.
- Affected Vendor, Product, Version: Devolutions, Devolutions Server, versions 2025.2.4.0 and earlier.
- CWE: CWE-446 - Results Masking
CWE-446 refers to the scenario where a software system displays inaccurate or misleading results to a user due to improper data handling or synchronization issues. In this case, the UI displays stale data, leading to potential unauthorized access.
Timeline of Events
- 2025-07-30: Vulnerability publicly disclosed.
- [Date to be determined]: Patch/Fix release (TBD).
Exploitability & Real-World Risk
The complexity of exploiting this vulnerability is rated as high, meaning it's not a straightforward process. An attacker needs to carefully time their requests to coincide with the deletion of a JIT group. However, the impact can be significant. Successfully exploiting this flaw can give an attacker unauthorized access to resources they shouldn't have, potentially leading to data breaches or system misconfigurations. This is especially concerning if the affected JIT groups controlled access to sensitive systems or data.
Recommendations
- Apply the latest patch: Upgrade Devolutions Server to the latest version as soon as a patch is available.
- Review JIT Group management: Monitor JIT group creation, deletion, and access requests.
- Implement strong access controls: Ensure that access rights are regularly reviewed and revoked when no longer needed.
- Monitor system logs: Look for unusual activity related to JIT group access.
Technical Insight
The root cause of the vulnerability lies in how Devolutions Server handles UI updates during JIT access requests. When a JIT group is deleted, the UI might not immediately reflect this change due to caching or asynchronous updates. An attacker could potentially exploit this window of opportunity to submit a request based on the outdated UI state, bypassing the intended access controls.
Credit to Researcher(s)
Devolutions Security Team
References
Tags
#DevolutionsServer #JITAccess #PrivilegeEscalation #CVE-2025-8353 #Authorization #SecurityVulnerability
Summary: CVE-2025-8353 details a UI synchronization vulnerability in Devolutions Server that allows attackers to access deleted JIT Groups. Update to the latest version as soon as possible to mitigate the risk.
CVE ID: CVE-2025-8353
Risk Analysis: Unauthorized access to resources protected by JIT groups, potentially leading to data breaches or system misconfigurations.
Recommendation: Apply the latest patch, review JIT group management, implement strong access controls, and monitor system logs.
Timeline
- 2025-07-30: Vulnerability publicly disclosed