{"id":85893,"date":"2025-11-26T09:28:03","date_gmt":"2025-11-26T09:28:03","guid":{"rendered":""},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-30T06:00:00","slug":"cve-2025-6741-unauthorized-entry-access-via-secure-message-entry-attachment-feature-in-devolutions-server","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-6741-unauthorized-entry-access-via-secure-message-entry-attachment-feature-in-devolutions-server\/","title":{"rendered":"<strong>CVE-2025-6741: Unauthorized Entry Access via Secure Message Entry Attachment Feature in Devolutions Server<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>This report discusses a serious vulnerability in Devolutions Server, designated as CVE-2025-6741. This vulnerability, if exploited, can compromise data and system integrity by allowing unauthorized access to sensitive information via the secure message entry attachment feature. The vulnerability impacts both businesses and individual users utilizing affected versions of Devolutions Server, underscoring the urgency of its mitigation.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-6741<br \/>\nSeverity: High (7.7 CVSS Score)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: Low (Authenticated User)<br \/>\nUser Interaction: Required<br \/>\nImpact: Unauthorized access to sensitive data, potential system compromise<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-674447211\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Devolutions Server | 2025.2.2.0 through 2025.2.4.0<br \/>\nDevolutions Server | 2025.1.11.0 and earlier<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The vulnerability arises from an improper access control mechanism in the secure message component of Devolutions Server. An authenticated user could exploit this vulnerability by sending a specially crafted request to the secure message entry attachment feature. By doing so, they could gain unauthorized access to sensitive data, leading to potential system compromise or data leakage.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3422585255\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<pre><code class=\"\" data-line=\"\">POST \/secure_message\/attachment_entry HTTP\/1.1\nHost: target.example.com\nAuthorization: Bearer {user_token}\n{\n&quot;entry_id&quot;: &quot;{unauthorized_entry_id}&quot;,\n&quot;attachment_data&quot;: &quot;{malicious_payload}&quot;\n}<\/code><\/pre>\n<p>In this conceptual example, an authenticated user sends a POST request to the `attachment_entry` endpoint of the `secure_message` component. The user includes an `entry_id` for an entry to which they do not have legitimate access, and `attachment_data` that represents a malicious payload. This unauthorized action is made possible due to the improper access control mechanism in place.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview This report discusses a serious vulnerability in Devolutions Server, designated as CVE-2025-6741. This vulnerability, if exploited, can compromise data and system integrity by allowing unauthorized access to sensitive information via the secure message entry attachment feature. The vulnerability impacts both businesses and individual users utilizing affected versions of Devolutions Server, underscoring the urgency of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[],"tags":[],"vendor":[],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-85893","post","type-post","status-publish","format-standard","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/85893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=85893"}],"version-history":[{"count":0,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/85893\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=85893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=85893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=85893"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=85893"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=85893"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=85893"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=85893"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=85893"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=85893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}