MEDIUM 6.5

CVE-2026-10544: Devolutions Server PAM Command Injection Vulnerability

Devolutions Server contains a vulnerability in its built-in PAM (Privileged Access Management) provider that allows authenticated users with vault write access to inject commands into password rotation templates. When those templates execute, the injected commands run on systems managed by the PAM provider, potentially granting attackers control over critical infrastructure. The issue stems from insufficient sanitization of special characters and command syntax in template processing.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-78
Affected products
2 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10544 is an OS command injection vulnerability (CWE-78) affecting Devolutions Server's PAM provider password rotation functionality. The vulnerability exists in template processing logic that fails to properly neutralize special shell metacharacters and command substitution syntax. An authenticated attacker with write permissions to a vault can craft malicious password rotation templates containing embedded shell commands. During template rendering and execution, these commands are passed unsanitized to a system shell, achieving arbitrary command execution on managed systems. The CVSS 3.1 score of 6.5 reflects the requirement for prior authentication and vault write access, but also the potential for lateral movement and system compromise.

Business impact

Organizations using Devolutions Server for PAM face risk of unauthorized command execution on their managed systems. An insider or compromised account with vault access could execute arbitrary commands without requiring direct access to target systems, potentially leading to data theft, lateral movement, deployment of persistent malware, or operational disruption. The impact extends beyond the Devolutions Server itself to all systems under its PAM management, making this a supply-chain-like risk for organizations relying on centralized credential and access control.

Affected systems

Devolutions Server versions 2026.1.20.0 and earlier are vulnerable, as is version 2026.2.4.0. Organizations should verify their exact deployment version and determine which versions in their environment fall within these ranges. The vulnerability only manifests when the built-in PAM provider is in use and the attacker has authenticated access with vault write permissions.

Exploitability

Exploitation requires two preconditions: the attacker must have valid authentication credentials for Devolutions Server and must have write access to at least one vault. Given that many organizations grant vault write access to multiple administrative or automation accounts, the pool of potential attackers is broader than zero-day scenarios. No network authentication is required once the attacker is authenticated; the attack surface is primarily internal or accessible to anyone with compromised credentials. Public exploit code or detailed attack demonstrations are not known to be circulating, but the vulnerability is relatively straightforward to exploit once access is obtained.

Remediation

Devolutions recommends upgrading to patched versions; verify the exact patch version in the official Devolutions Server advisory. As an interim measure, restrict vault write access to only the minimum set of users and automation accounts that require it, and monitor vault activity for suspicious password rotation template modifications. Consider implementing network segmentation to limit which systems the PAM provider can reach if a compromise occurs.

Patch guidance

Apply the security update released by Devolutions for this vulnerability. Consult the official Devolutions Server security advisory at devolutions.net/security for the specific patch version numbers. Test patched versions in a non-production environment before rolling out enterprise-wide to ensure compatibility with existing password rotation workflows and managed systems. Prioritize systems managing critical infrastructure or sensitive credentials.

Detection guidance

Monitor Devolutions Server audit logs for vault write events, particularly modifications to password rotation templates, from accounts that do not typically perform such actions. Watch for template entries containing shell metacharacters, command substitution patterns (backticks, $(), ${}, etc.), or unusual command syntax. On managed systems, monitor for unexpected command execution initiated by the Devolutions Server PAM provider service account, especially commands that differ from normal password rotation activities. Network detection should flag suspicious outbound connections from the PAM provider to systems not in its normal inventory.

Why prioritize this

Although the CVSS score is medium (6.5), the vulnerability warrants relatively high prioritization due to the direct path to command execution on managed infrastructure, the insider-threat nature of the attack, and the potential for broad impact across all systems under PAM management. Organizations where vault write access is broadly distributed or where the PAM provider manages critical systems should treat this as a higher priority. The fact that exploitation requires authentication is the primary limiting factor preventing a higher severity rating.

Risk score, explained

The CVSS 3.1 vector (6.5/MEDIUM) reflects: network-accessible attack vector (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). However, the 'N' in PR:N may appear misleading—the vulnerability does require prior authentication and vault write access, which are captured in the broader context but reflected in the overall score as medium rather than high. The impact is limited to confidentiality and integrity of managed systems (C:L, I:L) with no direct availability impact on Devolutions Server itself. Organizations with extensive PAM deployments should consider their specific risk context higher than the base score suggests.

Frequently asked questions

Do we need to update if vault write access is restricted to a small group of admins?

Yes. While restricting vault write access reduces the number of potential attackers, any compromise of a privileged account or insider with such access can still exploit this vulnerability. Defense-in-depth includes patching even when access controls are in place.

What is the difference between versions 2026.2.4.0 and 2026.1.20.0 in terms of vulnerability status?

Both versions are confirmed vulnerable. Version 2026.2.4.0 represents a newer release branch that also contains the flaw. Patch availability varies by version—consult the Devolutions security advisory to identify the correct patched version for your deployment branch.

Can this vulnerability be exploited without access to the Devolutions Server console or API?

No. The attacker must authenticate to Devolutions Server and have write access to a vault to modify password rotation templates. The vulnerability cannot be exploited remotely by unauthenticated users or those without vault write permissions.

Does this affect other Devolutions products like Devolutions Remote Desktop Manager?

This specific vulnerability is documented for Devolutions Server and its built-in PAM provider. Other Devolutions products may have separate security postures. Check Devolutions' security advisories for any cross-product impact.

This analysis is provided for informational purposes. Organizations must validate all information against official Devolutions Server security advisories and their own environment. Patch versions, affected products, and remediation steps should be verified directly with Devolutions before implementation. This vulnerability has not been added to CISA's KEV catalog as of the publication date. No exploit code or weaponized proof-of-concept is detailed in this advisory. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).