CVE-2026-13372
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
A vulnerability in Devolutions Remote Desktop Manager allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link. The issue affects the custom PowerShell VPN editor in versions 2026.2.5 through 2026.2.11.
Risk Assessment
An attacker can hijack another user's session by executing a malicious PowerShell script, leading to data confidentiality and integrity breaches and potential lateral movement within the network.
Recommendation
Immediately update Devolutions Remote Desktop Manager to version 2026.2.12 or later, which includes a fix for this vulnerability. Additionally, restrict write access to shared workspaces to trusted users only.
Original NVD description (English source)
Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.

