{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0747", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-01-08T19:09:44.557Z", "datePublished": "2026-01-08T19:55:58.944Z", "dateUpdated": "2026-01-08T20:07:40.198Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Remote Desktop Manager", "vendor": "Devolutions", "versions": [{"lessThanOrEqual": "2025.3.28.0", "status": "affected", "version": "2025.3.24.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><div><div><div><div><div><div><div><div><div><div>Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.</div></div></div></div></div></div></div></div><div><div></div></div></div></div></div><br>\n\n</div><br>"}], "value": "Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-08T19:55:58.944Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0002/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T20:06:33.387229Z", "id": "CVE-2026-0747", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T20:07:40.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0747", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T20:06:33.387229Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T20:07:16.415Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Remote Desktop Manager", "versions": [{"status": "affected", "version": "2025.3.24.0", "versionType": "custom", "lessThanOrEqual": "2025.3.28.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0002/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.", "supportingMedia": [{"type": "text/html", "value": "<div><div><div><div><div><div><div><div><div><div><div><div>Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.</div></div></div></div></div></div></div></div><div><div></div></div></div></div></div><br>\n\n</div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-08T19:55:58.944Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0747", "state": "PUBLISHED", "dateUpdated": "2026-01-08T20:07:40.198Z", "dateReserved": "2026-01-08T19:09:44.557Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-01-08T19:55:58.944Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:remote_desktop_manager:*:*:*:*:*:windows:*:*", "matchCriteriaId": "7F4399A3-8778-4568-80C0-39E152DBBB9D", "versionEndExcluding": "2025.3.29.0", "versionStartIncluding": "2025.3.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing."}], "id": "CVE-2026-0747", "lastModified": "2026-01-22T18:14:40.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-08T20:15:44.927", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory", "Broken Link"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0002/"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:40:45.231850+00:00", "value": {"mitigation_remediation": ["Upgrade Devolutions Remote Desktop Manager to version 2025.3.29.0 or later, which removes the defective masking feature.", "If an immediate upgrade is not possible, disable the password visibility option in TeamViewer entry dashboards or avoid displaying passwords during screen sharing sessions.", "Implement strict access control for physical machines and limit screen\u2013sharing sessions to trusted users, ensuring that remote sessions are encrypted and monitored for unauthorized observation."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "Devolutions Remote Desktop Manager versions 2025.3.24.0 through 2025.3.28.0 running on Windows environments are affected. Users of these builds who store passwords in the TeamViewer entry dashboard component are at risk.", "description_and_impact": "The vulnerability pertains to a defective masking mechanism in the TeamViewer entry dashboard component of Devolutions Remote Desktop Manager. Due to this flaw, an external observer\u2014either in person or via screen sharing\u2014can see displayed passwords on the screen. The weakness enables an attacker to steal credentials, compromising confidentiality of stored passwords. The issue is a classic information disclosure flaw as identified by CWE-200.", "risk_and_exploitability": "The CVSS score of 3.3 indicates low severity, but the practical impact is significant for individuals handling sensitive credentials. EPSS indicates that exploitation probability is below 1%, so widespread attacks are unlikely at this time. The vulnerability is not listed in the CISA KEV database, and no public exploits have been documented. An attacker would require access to the physical machine or a screen sharing session; therefore, the attack vector is predominantly physical or insider-based."}}}}, "created": "2026-01-09T13:24:16.476669+00:00", "title": "External Observer Can View Password Screens in Devolutions Remote Desktop Manager", "updated": "2026-04-18T16:45:05.226733+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$remote_desktop_manager", "microsoft", "microsoft$PRODUCT$windows"]}