CVE-2022-3781 - Devolutions Remote Desktop Manager Exposes Dashlane and KeePass Server Passwords Unencrypted in Database

Have you ever imagined that your most sensitive credentials—like Dashlane and KeePass server passwords—could be lying around unprotected in your organization’s database? If you’re using Devolutions Remote Desktop Manager (RDM) or Devolutions Server, this may be exactly what happened until recently, thanks to a critical vulnerability, CVE-2022-3781. In this post, we’ll dive into the details of this vulnerability, show you proof-of-concept code, and explain how it can be exploited.

Problem Summary

Dashlane and KeePass Server passwords configured inside the My Account Settings in either RDM or Devolutions Server are *not encrypted* when stored in the product database. Instead, they are saved as plain text, making them accessible to any user or attacker with direct database access—even without admin rights.

This means the main passwords you're using to sync or manage other secure resources can be seen just by running a simple database query.

Risk Impact

- Unauthorized Access: Anyone with database access can simply read these fields and get your Dashlane or KeePass master server password.
- Credential Theft: Attackers can reuse these passwords for credential stuffing or pivot to other systems.

Exploit Details (Step by Step)

Let’s see a basic walkthrough of exploiting this flaw. Remember, you must have SOME authorized or unauthorized level of database access (like the ability to query the database through valid credentials or a misconfigured server).

1. Locate the Database

Typically, Devolutions products use Microsoft SQL Server for their backend.

2. Identify the Relevant Table

The passwords are stored in tables such as [UserAccountSettings] or similar (depending on deployment).

Below is an example SQL query that can be used to retrieve plain text passwords

SELECT UserName, DashlanePassword, KeePassServerPassword
FROM UserAccountSettings
WHERE DashlanePassword IS NOT NULL OR KeePassServerPassword IS NOT NULL;

Sample Output

| UserName | DashlanePassword | KeePassServerPassword |
|----------|------------------|----------------------|
| alice    | mySuperPass!234  | keePassSecret2022    |
| bob      | 1234password     | anotherKeeSecret     |

This sample output exposes *real, usable* credential data.

4. Use the Credentials

You can now reuse or test these passwords elsewhere, possibly accessing all stored secrets inside the company’s password vaults.

How Did This Happen?

At its core, the issue is that RDM and Devolutions Server failed to encrypt password fields related to Dashlane or KeePass server integration. While application-level encryption is standard for sensitive data, some fields were left in plain text, possibly due to legacy coding or an oversight.

Update to latest versions beyond RDM 2022.2.26 and Devolutions Server 2022.3.1.

- Download latest Remote Desktop Manager
  - Get latest Devolutions Server

References

- NIST NVD CVE-2022-3781 Details
- Devolutions Security Advisories
- RDM Official Documentation
- CERT/CC Vulnerability Note VU#

Final Notes

CVE-2022-3781 is a prime example of how a single unencrypted field can undermine the entire security posture of a business relying on password managers or server vaults. It's a wakeup call for every organization to not just trust but *verify* how their data is handled—especially with powerful IT management tools like Devolutions Remote Desktop Manager.

Feel free to share this post or ask questions below. Stay safe and keep your credentials secure!


*Exclusive content. For republishing or commercial use, contact the author.*

Timeline

Published on: 11/01/2022 19:15:00 UTC
Last modified on: 11/03/2022 17:18:00 UTC