Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE (2025)

Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems.

Threesecurity issues, two of them critical,were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.

Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.

It is used by large enterprises managing complex WAN environments, telecom operators providing managed SD-WAN/SASE services to customers, government agencies that need secure, policy-driven network segmentation, and managed security service providers that handlemulti-tenant deployments.

ProjectDiscovery researched the product and discovered the following flaws:

• CVE-2025-34027(critical severity score 10/10):aURL decoding inconsistency allows attackers to bypass authentication and access a file upload endpoint. By exploiting a race condition, they can write malicious files to disk and achieve remote code execution using ld.so.preload and a reverse shell
• CVE-2025-34026(critical severity score 9.2/10):improper reliance on the X-Real-Ip header lets attackers bypass access controls to sensitive Spring Boot Actuator endpoints. By suppressing the header via a Traefik proxy trick, attackers can extract credentials and session tokens
• CVE-2025-34025(high severity score 8.6): amisconfigured Docker setup exposes host binaries to container writes. Attackers can overwrite a binary like 'test' with a reverse shell script, which is then executed by a host cron job, resulting in full host compromise

The researchers created a video to demonstrate how CVE-2025-34027 could be exploited in attacks:

ProjectDiscovery reported the vulnerabilities to the vendor on February 13, with a 90-day disclosure period. Versa Networks acknowledge the findings and requested additional details.

On March 28,Versa Networks indicated that hotfixes would become available for all affected releases on April 7th.

Following that date, though, Versa no longer responded to the researchers' follow-up communication about the patches.

With the 90-day disclosure period expiring on May 13th, ProjectDiscovery decided to publish the full details yesterday to alert Versa Concerto users of the danger.

In lack of an official fix, organizations relying on Versa Concerto are recommended to implement temporary mitigations. One suggestion from the researchers is to block semicolons in URLs via reverse proxy or WAF, and to drop requests with 'Connection: X-Real-Ip' to block actuator access abuse.

BleepingComputer has contacted Versa Networks for a comment on the status of the fixes for the vulnerabilities that ProjectDiscovery disclosed but did not receive and we will update this post once we receive a reply.

Update 5/23 - A Versa Networks spokesperson told BleepingComputer that they actually released fixes for the said vulnerabilities earlier, but this information didn't reach the researchers.

"On February 13, 2025, three vulnerabilities were identified and confirmed in our Concerto software platform. As part of our standard security response process, we developed and validated fixes, which were completed on March 7, 2025, and the hotfix made available to customers. A Generally Available (GA) software release containing these remediations was made available to all customers on April 16, 2025."

"There is no indication that these vulnerabilities were exploited in the wild, and no customer impact has been reported. All affected customers were notified through established security and support channels with guidance on how to apply the recommended updates." - Versa Networks spokesperson