Unpatched vital bugs in Versa Concerto result in auth bypass, RCE

Vital vulnerabilities in Versa Concerto which are nonetheless unpatched might permit distant attackers to bypass authentication and execute arbitrary code on affected techniques.

Three security points, two of them vital, had been publicly disclosed by researchers on the vulnerability administration agency ProjectDiscovery after reporting them to the seller and receiving no affirmation of the bugs being addressed.

Versa Concerto is the centralized administration and orchestration platform for Versa Networks’ SD-WAN and SASE (Safe Entry Service Edge) options.

It’s utilized by massive enterprises managing complicated WAN environments, telecom operators offering managed SD-WAN/SASE companies to prospects, authorities companies that want safe, policy-driven community segmentation, and managed security service suppliers that deal with multi-tenant deployments.

ProjectDiscovery researched the product and found the next flaws:

• CVE-2025-34027 (vital severity rating 10/10): a URL decoding inconsistency permits attackers to bypass authentication and entry a file add endpoint. By exploiting a race situation, they will write malicious information to disk and obtain distant code execution utilizing ld.so.preload and a reverse shell
• CVE-2025-34026 (vital severity rating 9.2/10): improper reliance on the X-Actual-Ip header lets attackers bypass entry controls to delicate Spring Boot Actuator endpoints. By suppressing the header by way of a Traefik proxy trick, attackers can extract credentials and session tokens
• CVE-2025-34025 (excessive severity rating 8.6): a misconfigured Docker setup exposes host binaries to container writes. Attackers can overwrite a binary like ‘take a look at’ with a reverse shell script, which is then executed by a number cron job, leading to full host compromise

The researchers created a video to exhibit how CVE-2025-34027 could possibly be exploited in assaults:

ProjectDiscovery reported the vulnerabilities to the seller on February 13, with a 90-day disclosure interval. Versa Networks acknowledge the findings and requested further particulars.

On March 28, Versa Networks indicated that hotfixes would develop into obtainable for all affected releases on April seventh.

Following that date, although, Versa not responded to the researchers’ follow-up communication in regards to the patches.

With the 90-day disclosure interval expiring on Could thirteenth, ProjectDiscovery determined to publish the complete particulars yesterday to alert Versa Concerto customers of the hazard.

In lack of an official repair, organizations counting on Versa Concerto are really useful to implement momentary mitigations. One suggestion from the researchers is to dam semicolons in URLs by way of reverse proxy or WAF, and to drop requests with ‘Connection: X-Actual-Ip’ to dam actuator entry abuse.

BleepingComputer has contacted Versa Networks for a touch upon the standing of the fixes for the vulnerabilities that ProjectDiscovery disclosed however didn’t obtain and we are going to replace this put up as soon as we obtain a reply.