CVE-2026-9522 Overview
CVE-2026-9522 is an improper access control vulnerability [CWE-284] in the Privileged Access Management (PAM) account discovery feature of Devolutions Server. The flaw affects Devolutions Server version 2026.1.19 and earlier. Authenticated users without administrative privileges can delete network discovery scan configurations through this weakness. The vulnerability requires network access and low privileges, with no user interaction needed. Devolutions has published a security advisory tracked as DEVO-2026-0014.
Critical Impact
Low-privileged authenticated users can delete network discovery scan configurations, disrupting PAM account discovery operations and undermining administrative integrity controls.
Affected Products
- Devolutions Server 2026.1.19 and earlier
- Devolutions Server PAM account discovery feature
- Network discovery scan configuration component
Discovery Timeline
- 2026-06-02 - CVE-2026-9522 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-9522
Vulnerability Analysis
The vulnerability resides in the PAM account discovery feature of Devolutions Server. The PAM module includes a network discovery scan configuration component that controls how the server enumerates privileged accounts across the network. The application fails to enforce administrative authorization on the delete operation for these scan configurations. Any authenticated user, regardless of role, can issue the delete request and remove configurations created by administrators.
The issue is classified under [CWE-284] Improper Access Control. The classification reflects a missing authorization check rather than a broken authentication mechanism. Confidentiality and integrity impacts are limited, and availability of the broader server is not affected. However, deleted scan configurations interrupt PAM account discovery workflows that security teams rely on for privileged identity governance.
Root Cause
The root cause is the absence of a role-based authorization check on the delete endpoint for network discovery scan configurations. The server validates that the requestor is authenticated but does not verify that the account holds the administrative role required to manage PAM discovery settings. This is a server-side authorization gap and cannot be remediated through client-side controls.
Attack Vector
Exploitation requires a valid, non-administrative account on the Devolutions Server. The attacker sends a delete request against the network discovery scan configuration resource through the standard application interface. No user interaction or social engineering is required. The attack is launched over the network against the management interface. See the Devolutions Security Advisory DEVO-2026-0014 for vendor-confirmed technical details.
Detection Methods for CVE-2026-9522
Indicators of Compromise
- Unexpected deletion events for PAM network discovery scan configurations in Devolutions Server audit logs.
- Delete API calls to discovery scan configuration endpoints originating from non-administrative user sessions.
- Gaps or disappearance of scheduled PAM account discovery scans without a corresponding administrative change record.
Detection Strategies
- Review Devolutions Server audit logs for delete actions against PAM discovery scan configurations and correlate with the acting user's role.
- Alert on any modification of PAM discovery configurations performed by accounts that do not hold the administrator role.
- Baseline the expected set of network discovery scan configurations and detect deviations through periodic configuration exports.
Monitoring Recommendations
- Forward Devolutions Server audit and administrative logs to a centralized SIEM for long-term retention and correlation.
- Monitor authentication events to identify low-privileged accounts performing administrative-level configuration changes.
- Track failed and successful API calls against PAM management endpoints to detect reconnaissance preceding exploitation.
How to Mitigate CVE-2026-9522
Immediate Actions Required
- Upgrade Devolutions Server to a version later than 2026.1.19 that contains the fix referenced in advisory DEVO-2026-0014.
- Audit existing PAM network discovery scan configurations and restore any that may have been deleted by unauthorized users.
- Review the role assignments of all authenticated Devolutions Server users and remove accounts that do not require access.
Patch Information
Devolutions has published advisory DEVO-2026-0014 addressing CVE-2026-9522. Administrators should consult the advisory for the exact fixed build number and apply the upgrade through the standard Devolutions Server update process. No exploit code is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.027%, indicating low predicted exploitation activity at publication.
Workarounds
- Restrict access to the Devolutions Server management interface to trusted administrative networks until the patch is applied.
- Limit Devolutions Server accounts to the minimum role required and disable unused non-administrative accounts.
- Increase audit log review frequency on PAM discovery configuration objects to detect unauthorized delete operations quickly.
# Configuration example
# Verify Devolutions Server version before and after patching
# Replace <server-host> with your Devolutions Server hostname
curl -s https://<server-host>/api/version
# Export current PAM discovery scan configurations for backup
# prior to applying the DEVO-2026-0014 update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
