Critical Zero-Day Vulnerabilities Identified in Versa Networks SD-WAN/SASE Platform

Three critical vulnerabilities have been identified in Versa Concerto, which serves as the orchestration platform for Versa Networks’ Software-Defined Wide Area Network (SD-WAN) and Secure Access Service Edge (SASE) solutions.

Despite being notified of these vulnerabilities in mid-February, Versa has yet to issue any patches to address them.

Breakdown of Vulnerabilities in Versa Concerto

An advisory released by a vulnerability management firm highlighted three newly discovered vulnerabilities within Versa Concerto on May 21. These flaws were initially detected in early February by researchers from the firm.

The vulnerabilities were indexed with three CVE identifiers on May 21:

– CVE-2025-34025: A privilege escalation and container escape vulnerability (CVSSv4 rating: 8.6) resulting from unsafe default mounting of host binary paths, allowing the container to modify host paths.
– CVE-2025-34026: An authentication bypass in the Traefik reverse proxy configuration related to the Versa Concerto Actuator (CVSSv4 rating: 9.2), which could lead to information leaks.
– CVE-2025-34027: Another authentication bypass in the Traefik reverse proxy configuration (CVSSv4 rating: 10.0) that could enable an attacker to execute remote code via path loading manipulation.

These vulnerabilities raise significant concerns regarding potential exploitation if they remain unaddressed.

Lack of Response Post-Disclosure Deadline

On February 13, ProjectDiscovery informed the Versa Concerto team about these vulnerabilities, agreeing on a 90-day timeframe for disclosure. The Versa team communicated on March 28 that hotfixes and patches would be available by April 7. However, ProjectDiscovery reported that no evidence of these patches was found after multiple follow-ups with the Versa team during April.

The 90-day disclosure period concluded on May 13, and after waiting a few additional days, ProjectDiscovery proceeded with its analysis and public disclosure on May 21. It also notified VulnCheck, which is a CVE Numbering Authority (CNA), to further disclose the identified vulnerabilities.

As of the latest updates, attempts to contact Versa Networks for comments have gone unanswered.