Severe Vulnerabilities in Versa Concerto Enable Docker Escape and Host Compromise Risks

Cybersecurity researchers have identified several significant security vulnerabilities within the Versa Concerto network security and SD-WAN orchestration platform. These vulnerabilities may be exploited to compromise affected instances.

Despite a responsible disclosure made on February 13, 2025, these issues have not been patched, leading to a public release of the vulnerabilities after the 90-day window for remediation expired.

Researchers from ProjectDiscovery, including Harsh Jaiswal, Rahul Maini, and Parth Malhotra, reported that these vulnerabilities, when exploited together, could potentially allow an attacker to gain complete control over both the application and the underlying host system.

The following vulnerabilities have been cataloged:

– CVE-2025-34025 (CVSS score: 8.6): This vulnerability involves privilege escalation and Docker container escape risks stemming from insecure default configurations for mounting host binary paths. Exploitation could lead to code execution on the host machine.

– CVE-2025-34026 (CVSS score: 9.2): An authentication bypass vulnerability exists in the Traefik reverse proxy configuration, giving an attacker unauthorized access to administrative endpoints. This access can potentially be used to retrieve heap dumps and trace logs via the Spring Boot Actuator endpoint, particularly using CVE-2024-45410.

– CVE-2025-34027 (CVSS score: 10.0): This is another authentication bypass vulnerability allowing attackers to gain access to administrative endpoints. Successful exploitation could lead to remote code execution through a vulnerable package upload endpoint (“/portalapi/v1/package/spack/upload”) due to arbitrary file write capabilities.

Exploiting CVE-2025-34027 enables an attacker to leverage a race condition to write malicious files to the disk, ultimately leading to remote code execution via LD_PRELOAD alongside a reverse shell. Researchers elaborated on their methodology, stating, “Our approach involved overwriting ../../../../../../etc/ld.so.preload with a path pointing to /tmp/hook.so. Simultaneously, we uploaded /tmp/hook.so, which contained a compiled C binary for a reverse shell. Since our request triggered two file write operations, we leveraged this to ensure both files were written within the same request.”

Once these files were successfully executed, any subsequent command execution on the system while both files were present would result in the execution of /tmp/hook.so, thus providing a reverse shell to the attackers.

In the absence of official patches, users are advised to implement several mitigative measures, including blocking semicolons in URL paths and rejecting requests with a Connection header containing the value X-Real-Ip. Monitoring network traffic and logs for unusual activities is also strongly recommended.

In an update, Versa Networks confirmed resolving the identified vulnerabilities in Concerto version 12.2.1 GA, released on April 16, 2025. In their official statement, the company emphasized their commitment to maintaining high standards of security and transparency across the platform.

On February 13, 2025, they initiated a response process upon identification of these vulnerabilities, which led to developed and validated fixes by March 7, 2025, followed by a GA release on April 16, 2025. Although many clients have upgraded to the latest version, the company acknowledged that some implementations are still in progress.

Customer notifications regarding affected releases and guidance on applying updates have been disseminated through established security and support channels. Versa stated that there is no evidence of exploitation in the wild nor any reported impact on clients. They reiterated their adherence to responsible disclosure practices and a proactive stance on identifying and mitigating risks, underpinning their commitment to continuous monitoring, rapid responses, and customer education.