Critical Security Vulnerabilities in Versa Concerto Enable Authentication Bypass and Remote Code Execution

Critical vulnerabilities have been identified in the Versa Concerto platform, which remain unpatched and pose significant risks. These vulnerabilities could enable remote attackers to bypass authentication mechanisms and execute arbitrary code on affected systems.

Researchers from ProjectDiscovery have publicly disclosed three security issues, including two critical vulnerabilities, after reporting them to the vendor without receiving any confirmation that the issues would be addressed.

Versa Concerto serves as the centralized management and orchestration platform for Versa Networks’ SD-WAN and SASE (Secure Access Service Edge) solutions. It is widely utilized by large enterprises managing complex WAN environments, telecom operators offering managed SD-WAN/SASE services, government agencies requiring secure, policy-driven network segmentation, and managed security service providers managing multi-tenant deployments.

Following a thorough investigation, ProjectDiscovery identified the following vulnerabilities:

• CVE-2025-34027 (Critical Severity Score 10/10): A URL decoding inconsistency allows attackers to bypass authentication and access a file upload endpoint. By exploiting a race condition, attackers can write malicious files to disk, subsequently achieving remote code execution by leveraging ld.so.preload to establish a reverse shell.
• CVE-2025-34026 (Critical Severity Score 9.2/10): Improper reliance on the X-Real-Ip header permits attackers to bypass access controls to sensitive Spring Boot Actuator endpoints. By manipulating the header via a Traefik proxy, attackers can extract credentials and session tokens.
• CVE-2025-34025 (High Severity Score 8.6): A misconfigured Docker setup exposes host binaries to container write operations. This vulnerability enables attackers to overwrite binaries, such as ‘test’, with scripts that establish a reverse shell, leading to full host compromise when executed by a host cron job.

To illustrate the exploitability of CVE-2025-34027, the researchers produced a demonstration video:

ProjectDiscovery initially reported these vulnerabilities to Versa Networks on February 13, initiating a 90-day disclosure period. Following the disclosure, Versa Networks acknowledged the findings and requested further information.

On March 28, Versa Networks announced that hotfixes would be released for all affected versions by April 7. However, after this date, communications regarding the patches were not forthcoming.

As the 90-day disclosure period lapsed on May 13, ProjectDiscovery opted to publish the full details to inform users of Versa Concerto about the associated risks.

In the absence of an official patch, organizations utilizing Versa Concerto are advised to implement temporary mitigations. One recommended measure is to block semicolons in URLs through a reverse proxy or web application firewall (WAF) and to discard requests carrying ‘Connection: X-Real-Ip’ to mitigate the risk of actuator access exploitation.

Attempts to reach Versa Networks for a status update regarding the vulnerabilities and the progress on fixes have not yielded a response. Further communication will be provided as updates are received.