CVE-2026-12161

Vulnerability

Improper input validation in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager (RDM) version 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host. The bug is triggered by entering a crafted alternate username in the SSH entry and subsequently using the Elevate Shell action, which passes the untrusted input to the stored elevation credentials without sanitization.

Exploitation

An attacker needs valid authentication to RDM and the permission to create or modify a shared SSH entry. The steps are: create or edit a shared SSH entry, set an alternate username containing shell metacharacters or command injection syntax, save the entry, and then have a target user (or themselves) interact with the Elevate Shell action. No additional network access beyond what is normal for SSH management is required.

Impact

On success, the attacker achieves arbitrary command execution on the remote SSH host in the context of the stored elevation credentials. This can lead to full compromise of the remote host, including data exfiltration, lateral movement, or privilege escalation within the target environment [1].

Mitigation

Devolutions released a security advisory (DEVO-2026-0018) [1] addressing this issue. Users should upgrade to a patched version of Remote Desktop Manager as soon as possible. If an immediate upgrade is not possible, restrict permissions for creating or modifying shared SSH entries to trusted users only and avoid using stored elevation credentials with shared SSH entries until the fix is applied.