CVE-2024-6492: Remote Desktop Manager Info Disclosure Bug

CVE-2024-6492 Overview

CVE-2024-6492 is a sensitive information exposure vulnerability in Devolutions Remote Desktop Manager (RDM) for Windows. The flaw exists in the Edge browser session proxy feature and affects versions 2024.2.14.0 and earlier. An attacker who lures a user to a specially crafted website can intercept proxy credentials configured within the application. The weakness is classified under [CWE-522: Insufficiently Protected Credentials]. Devolutions published advisory DEVO-2024-0012 to address the issue.

Critical Impact
Attackers can capture proxy credentials stored in Remote Desktop Manager, enabling unauthorized access to internal network resources reachable through the compromised proxy.

Affected Products

Devolutions Remote Desktop Manager Free for Windows, versions 2024.2.14.0 and earlier
Devolutions Remote Desktop Manager Team for Windows, versions 2024.2.14.0 and earlier
Edge browser session proxy feature within the affected RDM builds

Discovery Timeline

2024-07-16 - CVE-2024-6492 published to the National Vulnerability Database (NVD)
2025-03-28 - Last updated in NVD database

Technical Details for CVE-2024-6492

Vulnerability Analysis

The vulnerability resides in the Edge browser session proxy feature of Devolutions Remote Desktop Manager. RDM embeds a Chromium-based Edge component to launch web sessions through a configured proxy. When the session loads attacker-controlled content, the application fails to restrict access to proxy authentication credentials. The credentials become available to the loaded page, which can transmit them to an attacker-controlled endpoint. The flaw maps to [CWE-522], reflecting insufficient protection of authentication material exposed to untrusted contexts. Exploitation requires user interaction, specifically opening or navigating to a crafted web resource within an RDM-managed Edge session.

Root Cause

The root cause is improper isolation between proxy credential material and the rendered web content inside the Edge session host. RDM passes proxy authentication data through a path that becomes observable to script or request handlers triggered by the loaded site. No effective boundary prevents the page from accessing or echoing the credentials back to the attacker.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker hosts a specially crafted website and convinces an RDM user to open it through an Edge browser session that uses a configured proxy. The crafted page triggers the credential disclosure during the proxy authentication flow. Because the scope changes, captured credentials grant access to resources outside the immediate browser session, including any internal systems reachable through the proxy.

No public proof-of-concept code is available. Refer to the Devolutions Security Advisory DEVO-2024-0012 for vendor-supplied technical details.

Detection Methods for CVE-2024-6492

Indicators of Compromise

Unexpected outbound HTTP or HTTPS requests from RemoteDesktopManager.exe or the embedded Edge process containing base64 or plaintext credential fragments.
Proxy authentication failures or anomalous authentication attempts from accounts whose credentials are stored only inside RDM.
Edge browser sessions launched from RDM that navigate to domains not associated with operational use of the application.

Detection Strategies

Inspect Windows process telemetry for RDM child processes spawning Edge with unusual command-line arguments or navigation targets.
Monitor proxy server logs for credential reuse from unexpected source addresses outside the user's normal network egress.
Correlate web filtering logs with RDM session activity to identify navigation to newly registered or low-reputation domains.

Monitoring Recommendations

Enable detailed logging in Remote Desktop Manager and forward events to a centralized log platform for retention and search.
Alert on changes to proxy configuration entries within RDM data sources and on first-time use of stored proxy credentials from new hosts.
Track authentication events on proxy infrastructure for failed logins followed by successful logins from different geolocations within short time windows.

How to Mitigate CVE-2024-6492

Immediate Actions Required

Upgrade Devolutions Remote Desktop Manager for Windows to a release later than 2024.2.14.0 as directed in advisory DEVO-2024-0012.
Rotate any proxy credentials that were stored in or used through affected RDM installations.
Audit recent Edge browser sessions launched from RDM for navigation to untrusted external sites.

Patch Information

Devolutions addressed the issue in versions released after 2024.2.14.0. Administrators should consult the Devolutions Security Advisory DEVO-2024-0012 for the fixed build numbers and download links, and deploy the update across all Windows workstations running RDM Free and RDM Team editions.

Workarounds

Disable the Edge browser session type within RDM until the patched version is deployed, and use alternative session handlers that do not expose proxy credentials.
Restrict Edge browser sessions in RDM to a strict allowlist of trusted internal domains using web filtering or proxy access control lists.
Remove stored proxy credentials from RDM entries and require interactive proxy authentication where feasible.

bash

# Configuration example: verify installed RDM version on Windows endpoints
powershell -Command "Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like 'Remote Desktop Manager*' } | Select-Object DisplayName, DisplayVersion"