High

Authenticated SQL Injection in Devolutions Server last usage logs

IdentifiersCVE-2025-13757CWE-89· Improper Neutralization of Special…

CVE-2025-13757 is an SQL injection vulnerability in the last usage logs component of Devolutions Server. The provided content states that the issue affects Devolutions Server through version 2025.2.20 and through 2025.3.8, and characterizes the flaw as authenticated. Based on the available information, insufficiently sanitized input in functionality related to last usage logs can be used to inject arbitrary SQL statements into backend database queries. The reporting also states that successful exploitation could allow an attacker to steal all passwords stored in the affected system. No further technical details about the specific vulnerable function, parameters, or query construction are available in the provided content.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an authenticated attacker to execute unintended SQL queries against the Devolutions Server backend database. Based on the provided reporting, this may enable extraction of highly sensitive data, including all passwords stored in the affected system. Depending on database privileges and application behavior, SQL injection may also permit broader compromise of application data integrity and confidentiality.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to Devolutions Server to only trusted, necessary users and administrative networks, and minimize the number of accounts able to reach the affected functionality. Monitor and alert on anomalous requests involving last usage logs and unexpected database query behavior. Use least-privilege database credentials for the application to limit the blast radius of SQL injection. Where feasible, place the service behind network access controls or a reverse proxy with request inspection, though such measures are compensating controls and not a substitute for patching.

Remediation

Patch, then assume compromise.

Upgrade Devolutions Server to a fixed release newer than 2025.2.20 and 2025.3.8, as the provided content indicates those versions are affected. Apply the vendor's security update or hotfix addressing CVE-2025-13757 as soon as it is available in your supported release train. Validate that all instances, including standby or test deployments, are updated and review database and application logs for signs of abuse of last usage logs functionality.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

DevolutionsDevolutions Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

security online infoNews

Dec 1, 2025

Critical Devolutions Server Flaw (CVE-2025-13757) Allows Authenticated SQL Injection to Steal All Passwords

A critical vulnerability in Devolutions Server that allows authenticated SQL injection and could be used to steal all passwords.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-13757

NVD

nvd.nist.gov/vuln/detail/CVE-2025-13757

MITRE CWE · CWE-89

Improper Neutralization of Special Elements…

Vendor Advisory

devolutions.net/security/advisories/DEVO-2025-0018