Cybersecurity researchers have uncovered a number of vital safety vulnerabilities impacting the Versa Concerto community safety and SD-WAN orchestration platform that may very well be exploited to take management of vulnerable situations.
It is price noting that the recognized shortcomings stay unpatched regardless of accountable disclosure on February 13, 2025, prompting a public launch of the problems following the top of the 90-day deadline.
“These vulnerabilities, when chained collectively, may permit an attacker to totally compromise each the applying and the underlying host system,” ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra stated in a report shared with The Hacker Information.
The safety defects are listed beneath –
- CVE-2025-34025 (CVSS rating: 8.6) – A privilege escalation and Docker container escape vulnerability that is attributable to unsafe default mounting of host binary paths and may very well be exploited to realize code execution on the underlying host machine
- CVE-2025-34026 (CVSS rating: 9.2) – An authentication bypass vulnerability within the Traefik reverse proxy configuration that enables an attacker to entry administrative endpoints, which may then be exploited to entry heap dumps and hint logs by exploiting an inner Spring Boot Actuator endpoint by way of CVE-2024-45410
- CVE-2025-34027 (CVSS rating: 10.0) – An authentication bypass vulnerability within the Traefik reverse proxy configuration that enables an attacker to entry administrative endpoints, which may then be exploited to realize distant code execution by exploiting an endpoint associated to package deal uploads (“/portalapi/v1/package deal/spack/add”) by way of arbitrary file writes
Profitable exploitation of CVE-2025-34027 may permit an attacker to leverage a race situation and write malicious information to disk, in the end leading to distant code execution utilizing LD_PRELOAD and a reverse shell.
“Our method concerned overwriting ../../../../../../and so forth/ld.so.preload with a path pointing to /tmp/hook.so,” the researchers stated. “Concurrently, we uploaded /tmp/hook.so, which contained a compiled C binary for a reverse shell. Since our request triggered two file write operations, we leveraged this to make sure that each information had been written inside the similar request.”
“As soon as these information had been efficiently written, any command execution on the system whereas each continued would consequence within the execution of /tmp/hook.so, thereby giving us a reverse shell.”
Within the absence of an official repair, customers are suggested to dam semicolons in URL paths and drop requests the place the Connection header accommodates the worth X-Actual-Ip. It is also advisable to watch community site visitors and logs for any suspicious exercise.
Replace
Versa Networks, in a press release shared with The Hacker Information, stated the problems had been addressed in Concerto model 12.2.1 GA launched on April 16, 2025. The entire response from the corporate is beneath –
Versa is dedicated to sustaining the best requirements of safety and transparency throughout our platform.
On February 13, 2025, three vulnerabilities had been recognized and confirmed in our Concerto software program platform. As a part of our normal safety response course of, we developed and validated fixes, which had been accomplished on March 7, 2025, and the hotfix made obtainable to clients. A Typically Out there (GA) software program launch containing these remediations was made obtainable to all clients on April 16, 2025.
Many purchasers have already upgraded to the April sixteenth launch, although we acknowledge some deployments should be pending. Detailed data on affected releases and mitigation steps has been posted for buyer entry solely.
There is no such thing as a indication that these vulnerabilities had been exploited within the wild, and no buyer influence has been reported. All affected clients had been notified by means of established safety and assist channels with steerage on methods to apply the advisable updates.
Versa follows accountable disclosure practices and takes a proactive method to figuring out, mitigating, and speaking potential dangers. Safety is foundational to our platform, and we proceed to put money into steady monitoring, speedy response, and buyer training as a part of our dedication to belief and safety.
(The story was up to date after publication to incorporate a response from Versa Networks in regards to the patch data.)
