Home / Vulnerability Intelligence / CVE-2026-3224

CVE-2026-3224 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 4, 2026

Devolutions Server - Authentication Bypass

Published: March 3, 2026Updated: March 4, 2026Remote Exploitable

Overview

Devolutions Server <= 2025.3.15.0 contains an authentication bypass caused by acceptance of forged JSON Web Tokens in Microsoft Entra ID authentication mode, letting unauthenticated users authenticate as arbitrary Entra ID users.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can impersonate any Entra ID user, gaining unauthorized access to the system.

Mitigation

Update to the latest version beyond 2025.3.15.0.

References

https://devolutions.net/security/advisories/DEVO-2026-0005/

Social Media Activity(2 posts)

Offensive Sequence

@offseq

Mar 4, 2026

🚨 CVE-2026-3224: CRITICAL auth bypass in Devolutions Server <=2025.3.15.0 using Microsoft Entra ID. Attackers can forge JWTs for full access. No known exploits, but patch ASAP & tighten token validation. https://radar.offseq.com/threat/cve-2026-3224-cwe-287-improper-authentication-cwe--6697497e #OffSeq #Vuln #CyberSecurity #JWT

View original post

Offensive Sequence

@offseq

Mar 4, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-3224
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new
EPSS: 0.0%
Social Posts: 2

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days