CVE-2026-14536

Devolutions · Server

Devolutions Server 2026.2.4.0 through 2026.2.9.0 fails to enforce mandatory multi-factor authentication (MFA) policies when encountering invalid default values, allowing credentialed bypass.

Executive summary

An MFA bypass vulnerability in Devolutions Server allows authenticated users to circumvent mandatory security policies, posing a critical risk to sensitive data access.

Vulnerability

This vulnerability involves the improper enforcement of mandatory multi-factor authentication (MFA) policies. An attacker possessing valid user credentials can bypass the MFA requirement when the server encounters an invalid default MFA value, allowing them to authenticate without completing the secondary verification step.

Business impact

With a CVSS score of 9.8 (Critical), this vulnerability significantly undermines the organization's identity and access management strategy. Successful exploitation allows unauthorized access to sensitive systems protected by Devolutions Server, potentially leading to unauthorized data exposure, system manipulation, or further lateral movement within the network.

Remediation

Immediate Action: Update Devolutions Server to version 2026.2.11.0 or higher immediately.

Proactive Monitoring: Audit user access logs for unusual login patterns, particularly for accounts that should have been subjected to MFA but show successful authentication without it.

Compensating Controls: Enforce strict conditional access policies at the identity provider level (if applicable) and restrict network access to the Devolutions Server instance to authorized IP ranges only.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations must prioritize updating to the patched version, 2026.2.11.0, to restore the integrity of their authentication processes. Given the critical impact of bypassing mandatory security controls, this update should be treated as a high-priority maintenance task.