HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12161Published Modified CNA DEVOLUTIONS

CVE-2026-12161: Improper input validation in the SSH Elevate Shell feature in

Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alternate username and user interaction with the Elevate Shell action.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Improper input validation in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated attacker to execute arbitrary commands on a remote SSH host. The vulnerability is reachable over the network and requires only a low-privilege account with permission to create or modify a shared SSH entry; no victim interaction beyond a target user triggering the Elevate Shell action is needed. Successful exploitation gives the attacker full command execution on the remote SSH host using stored elevation credentials. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-12161 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle Devolutions Remote Desktop Manager. Images at or below version 2026.2.7 are flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High) and weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Devolutions ships a corrected release. In the interim, customers can use HarborGuard's compensating-control suggestions, such as network-policy isolation of affected hosts and restriction of SSH entry creation permissions, to reduce exposure while waiting for an upstream patch.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Remote Desktop Manager service over the network; the affected feature is exposed to network-accessible clients.

  • AuthenticationRequired

    Any low-privilege account that holds permission to create or modify a shared SSH entry is sufficient to attempt exploitation; no administrative account is needed.

  • Victim interactionRequired

    A target user must trigger the Elevate Shell action against the crafted SSH entry, making this a social-engineering or insider-threat scenario where the attacker plants a malicious entry and waits for another user to activate it.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond holding the necessary account permission.

Blast Radius

  • Executes arbitrary operating-system commands on the remote SSH host using the stored elevation credentials, which typically carry elevated or root-level privileges.
  • Reads files, secrets, and credentials accessible to the elevated session on the remote host.
  • Writes or modifies files and configurations on the remote host, enabling persistence or lateral movement to other systems reachable from that host.
  • Crashes or disrupts processes on the remote host if the attacker chooses to run destructive commands.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-12161, HarborGuard monitors the Devolutions advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is published. While waiting for an upstream release, HarborGuard surfaces compensating-control recommendations including network-policy isolation of hosts running Remote Desktop Manager, restriction of SSH shared-entry creation permissions to a minimal set of trusted accounts, and egress filtering to limit which remote SSH hosts an affected instance can reach. Customers can configure compliance policies to escalate this CVE to high-priority queues and notify the relevant team immediately, ensuring the patch PR is reviewed and merged as soon as the rebuild becomes available.

See how HarborGuard automates this
Affected packages
  • Devolutions / Remote Desktop Manager
    ≤ 2026.2.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References