Security Intelligence
Loading table of contents...
Loading table of contents...
Security researchers have identified several critical vulnerabilities in Versa Concerto, a centralized management platform for Versa Networks' SD-WAN and SASE solutions. Versa Concerto is widely used by large enterprises, telecom operators, government agencies, and managed security service providers to manage complex WAN environments and secure network segmentation.
The flaws remain unpatched and could allow a remote threat actor to bypass authentication and execute arbitrary code on affected systems. The most severe vulnerability, CVE-2025-34027, carries a maximum severity score of 10/10. It involves a URL decoding inconsistency that enables threat actors to bypass authentication and access a file upload endpoint. By exploiting a race condition, threat actors can write malicious files to disk and achieve remote code execution using ld.so.preload and a reverse shell.
Another critical flaw, CVE-2025-34026 (severity score of 9.2), arises from improper reliance on the X-Real-Ip header, allowing threat actors to bypass access controls to sensitive Spring Boot Actuator endpoints. The third vulnerability, CVE-2025-34025 (severity score of 8.6), is due to a misconfigured Docker setup that exposes host binaries to container writes, potentially leading to full host compromise.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The vulnerabilities were disclosed to Versa Networks on February 13, with a 90-day disclosure period. Versa acknowledged the findings and indicated that hotfixes would become available for all affected releases on April 7. However, following that date, Versa ceased responding to the researchers' follow-up communications regarding the patches. With the disclosure period expiring on May 13, security researchers published the full details to alert Versa Concerto users of the danger.
In the absence of official fixes, organizations relying on Versa Concerto are advised to implement temporary mitigations. Recommendations include blocking semicolons in URLs via reverse proxy or web application firewall (WAF) and dropping requests with the 'Connection: X-Real-Ip' header to prevent abuse of actuator access. These measures aim to reduce the risk of exploitation until official patches are released.
Source: Bleeping Computer
Analysis
Versa Concerto—particularly its management component, Versa Director—has been exploited in the past. A significant incident occurred in mid-2024, involving the Chinese state-sponsored threat group known as Volt Typhoon. This group exploited a zero-day vulnerability, tracked as CVE-2024-39717, in Versa Director's "Change Favicon" feature. The flaw allowed a threat actor with administrator privileges to upload malicious Java files disguised as PNG images, leading to remote code execution.
Versa Networks acknowledged the vulnerability and released patches in August 2024. However, they noted that the exploitation was facilitated by customers failing to implement recommended firewall guidelines, leaving management ports exposed to the internet, underscoring the importance of organizations properly configuring internet-facing services.
As of now, there are no publicly confirmed reports of active exploitation of the recently discovered critical vulnerabilities in Versa Concerto. However, the release of detailed technical analyses and proof-of-concept (PoC) exploits, combined with Volt Typhoon’s past interest in Versa flaws, significantly increases the risk of these vulnerabilities being exploited in the near future.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities in software. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
In the absence of official security updates from Versa, Field Effect strongly advises impacted users to block semicolons in URLs via reverse proxy or WAF, and to drop requests with 'Connection: X-Real-Ip' to block actuator access abuse, as detailed by Project Discovery.
