CVE-2024-11621 Overview
CVE-2024-11621 is a missing certificate validation vulnerability in Devolutions Remote Desktop Manager (RDM) affecting macOS, iOS, Android, Linux, and PowerShell editions. The flaw allows network-positioned attackers to intercept and modify encrypted communications through a man-in-the-middle (MITM) attack. The weakness maps to [CWE-295: Improper Certificate Validation].
Devolutions assigned advisory DEVO-2025-0001 and released patched builds. Because RDM brokers privileged remote sessions and credentials, successful interception can expose secrets used for downstream administrative access.
Critical Impact
Attackers on the network path can downgrade trust, intercept session traffic, and tamper with data transmitted by Remote Desktop Manager clients on macOS, iOS, Android, Linux, and PowerShell.
Affected Products
- Remote Desktop Manager macOS 2024.3.9.0 and earlier
- Remote Desktop Manager Linux 2024.3.2.5 and earlier; Android 2024.3.3.7 and earlier; iOS 2024.3.3.0 and earlier
- Remote Desktop Manager PowerShell 2024.3.6.0 and earlier
Discovery Timeline
- 2025-02-10 - CVE-2024-11621 published to NVD
- 2025-03-28 - Last updated in NVD database
Technical Details for CVE-2024-11621
Vulnerability Analysis
The affected Remote Desktop Manager clients fail to properly validate X.509 certificates presented by remote endpoints during TLS handshakes. Without strict validation of the certificate chain, hostname, or trust anchor, the client accepts certificates that should be rejected. An attacker positioned between the client and the legitimate server can present a forged or attacker-controlled certificate and complete the TLS negotiation.
Once the session is established through the attacker, the encrypted channel terminates at the attacker rather than the intended server. The attacker decrypts, inspects, and modifies traffic in transit. Because RDM stores and transmits session credentials, RDP/SSH connection parameters, and vault data, the exposed material can be reused to authenticate to downstream systems.
Exploitation requires user interaction in the form of initiating an RDM connection, but no privileges on the target client are needed.
Root Cause
The client implementations on macOS, iOS, Android, Linux, and the PowerShell module omit or weaken TLS certificate verification logic. This includes failing to enforce trust chain validation, hostname matching, or rejection of self-signed certificates outside an approved trust store, as described in the Devolutions Security Advisory DEVO-2025-0001.
Attack Vector
An attacker must be able to intercept network traffic between the RDM client and its remote endpoint. Common positions include hostile Wi-Fi networks, compromised routers, ARP or DNS spoofing inside a LAN, or upstream ISP-level interception. The attacker presents a fraudulent certificate during the TLS handshake; the vulnerable client accepts it and establishes the session. The attacker then proxies traffic, harvesting credentials and altering commands or responses.
No verified public exploit or proof-of-concept code is currently associated with this CVE.
Detection Methods for CVE-2024-11621
Indicators of Compromise
- Unexpected TLS certificates presented to RDM clients, especially self-signed certificates or those issued by untrusted authorities for known server hostnames.
- RDM connections from end-user devices traversing unexpected intermediate hosts or proxy addresses.
- Authentication anomalies on downstream RDP, SSH, or web targets that follow an RDM session from a mobile or macOS/Linux client.
Detection Strategies
- Inspect TLS metadata at network egress and alert on certificate issuer, fingerprint, or Subject Alternative Name mismatches for hosts reached by RDM clients.
- Compare observed server certificates against a known-good baseline pinned per environment.
- Correlate RDM client process activity with outbound TLS sessions to identify connections that bypass corporate VPN or trusted gateways.
Monitoring Recommendations
- Enable verbose RDM connection logging and forward logs to a central SIEM for correlation.
- Monitor mobile and macOS/Linux endpoints for execution of RDM builds at or below the vulnerable version numbers.
- Track ARP, DHCP, and DNS anomalies on networks where RDM clients operate, since these often precede MITM attempts.
How to Mitigate CVE-2024-11621
Immediate Actions Required
- Upgrade Remote Desktop Manager to a fixed release on every affected platform: macOS later than 2024.3.9.0, Linux later than 2024.3.2.5, Android later than 2024.3.3.7, iOS later than 2024.3.3.0, and PowerShell later than 2024.3.6.0.
- Rotate credentials and secrets stored in or transmitted by RDM if vulnerable clients were used on untrusted networks.
- Restrict RDM usage to trusted networks or enforce VPN tunneling until all clients are patched.
Patch Information
Devolutions has released fixed versions for all affected platforms. Refer to the Devolutions Security Advisory DEVO-2025-0001 for exact patched build numbers and download locations. Verify deployed client versions through your endpoint management or MDM platform before declaring the fix complete.
Workarounds
- Require RDM clients to connect through a corporate VPN with strict server authentication until upgrades are completed.
- Avoid using vulnerable RDM builds on public or untrusted Wi-Fi networks.
- Where supported, enforce certificate pinning or use an internal certificate authority with controlled distribution to RDM hosts.
# Verify installed Remote Desktop Manager PowerShell module version
Get-Module -ListAvailable -Name Devolutions.PowerShell | Select-Object Name, Version
# Upgrade to a fixed release (must be later than 2024.3.6.0)
Update-Module -Name Devolutions.PowerShell -Force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
