CVE-2026-13372 in Remote Desktop Manager
Summary
by MITRE • 06/26/2026
Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability exists in Devolutions Remote Desktop Manager's custom PowerShell VPN editor functionality where the system incorrectly resolves links based on display names rather than unique identifiers. The flaw allows authenticated attackers who possess write access to a shared workspace to manipulate the display name of a VPN script link to match that of an existing legitimate script, creating a collision that enables arbitrary code execution in another user's context. The vulnerability stems from insufficient input validation and improper link resolution mechanisms within the workspace sharing framework.
The technical implementation of this flaw involves the PowerShell VPN editor's failure to properly distinguish between different script links when multiple entries share identical display names. When a malicious user modifies a shared workspace entry to use an existing display name, the system's lookup mechanism returns the first match rather than verifying the actual unique identifier or path reference. This creates a scenario where a crafted display name can redirect execution to an attacker-controlled PowerShell script instead of the intended legitimate script. The vulnerability specifically affects versions 2026.2.5 through 2026.2.11, indicating this was a regression or newly introduced flaw in the workspace sharing implementation.
The operational impact of this vulnerability is significant as it enables privilege escalation and lateral movement within shared workspaces. An attacker with write permissions can silently replace legitimate script references with malicious ones without detection, potentially executing scripts that access sensitive credentials, network resources, or system information. The attack requires only basic workspace modification privileges which are often granted to team members in collaborative environments, making this vector particularly dangerous. This vulnerability directly maps to CWE-425: Direct Request Forgery and CWE-693: Protection Mechanism Failure, as it undermines the integrity of script execution mechanisms through improper validation.
This vulnerability aligns with ATT&CK technique T1059.001: Command and Scripting Interpreter - PowerShell, where attackers leverage PowerShell execution capabilities to gain unauthorized access. The attack chain typically involves initial compromise through shared workspace write access followed by script manipulation to achieve persistent access or data exfiltration. Organizations using Devolutions Remote Desktop Manager in collaborative environments are particularly at risk as the vulnerability can be exploited without requiring elevated privileges beyond standard user access with write permissions to shared workspaces.
The recommended mitigations include immediate patching of affected versions to 2026.2.12 or later, implementing strict validation of display names during workspace entry creation, and enabling additional authentication checks for script execution. Organizations should also implement monitoring for unusual modifications to shared workspace entries and establish least-privilege access controls for workspace write permissions. The root cause requires proper unique identifier enforcement in link resolution mechanisms rather than relying solely on display name matching, which aligns with security best practices outlined in NIST SP 800-53 and ISO/IEC 27001 standards for secure configuration management.