CVE-2026-14536
Devolutions · Server
Devolutions Server 2026.2.4.0 through 2026.2.9.0 fails to enforce mandatory multi-factor authentication (MFA) policies when encountering invalid default values, allowing credentialed bypass.
Executive summary
An MFA bypass vulnerability in Devolutions Server allows authenticated users to circumvent mandatory security policies, posing a critical risk to sensitive data access.
Vulnerability
This vulnerability involves the improper enforcement of mandatory multi-factor authentication (MFA) policies. An attacker possessing valid user credentials can bypass the MFA requirement when the server encounters an invalid default MFA value, allowing them to authenticate without completing the secondary verification step.
Business impact
With a CVSS score of 9.8 (Critical), this vulnerability significantly undermines the organization's identity and access management strategy. Successful exploitation allows unauthorized access to sensitive systems protected by Devolutions Server, potentially leading to unauthorized data exposure, system manipulation, or further lateral movement within the network.
Remediation
Immediate Action: Update Devolutions Server to version 2026.2.11.0 or higher immediately.
Proactive Monitoring: Audit user access logs for unusual login patterns, particularly for accounts that should have been subjected to MFA but show successful authentication without it.
Compensating Controls: Enforce strict conditional access policies at the identity provider level (if applicable) and restrict network access to the Devolutions Server instance to authorized IP ranges only.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations must prioritize updating to the patched version, 2026.2.11.0, to restore the integrity of their authentication processes. Given the critical impact of bypassing mandatory security controls, this update should be treated as a high-priority maintenance task.