Skip to content

Critical flaws in Versa Concerto allow RCE, auth bypass

  • by
  • 2 min read

Several critical vulnerabilities in Versa Concerto that are yet to be patched could allow threat actors to execute arbitrary code and bypass authentication on compromised systems remotely. Two out of the three security bugs have been assigned critical severity scores.

Versa Concerto is a widely used platform for centralised management and orchestration of Versa Networks’ SASE and SD-WAN network security solutions. It is used by government agencies requiring secure segmented networks, enterprises that need to manage complex WAN environments, security service providers managing multiple deployments and telecom operators providing managed SASE or SD-WAN services to customers.

Researchers at vulnerability management firm ProjectDiscovery publicly disclosed the flaws and reported them to the vendor. A URL decoding consistency, dubbed CVE-2025-34027, was given a CVSS score of 10. This lets adversaries bypass authorisation and gain access to a file upload endpoint. Attackers can remotely execute code and write malicious files to disk via exploitation of a race condition using ‘Id.so.preload’ and a reverse shell.

The second flaw, CVE-2025-34026 (CVSS score of 9.2), enables bypassing access controls to sensitive Spring Boot Actuator endpoints caused by improper reliance on the ‘X-Real-Ip header. Threat actors can extract credentials and session tokens using a Traefik proxy trick that suppresses the header.

A misconfiguration in the Docker setup makes host binaries vulnerable to container writes. A full host compromise can take place when an attacker uses a reverse shell script to overwrite a binary, such as “test,” which is subsequently executed by a host’s cron job. The vulnerability was labelled CVE-2025-34025 and given a severity score of 8.6.

ProjectDiscovery reported the vulnerabilities to Versa Networks on February 13 and provided a 90-day disclosure period. The vendor acknowledged the cybersecurity firm’s findings and requested further details.

Versa Networks indicated on March 28 that hotfixes would be made available for impacted versions on April 7. However, the company stopped responding to ProjectDiscovery regarding the patches. When the 90-day disclosure period ended on May 13, the security firm decided to publish details of the critical flaws to inform Versa Concerto users of the risk.

Due to the lack of an official fix, organisations using Versa Concerto have been advised to apply temporary mitigations. They recommended blocking semicolons in URLs using a reverse proxy and dropping requests with ‘Connection: X-Real-Ip’ to avoid actuator access exploitation.

In the News: Ransomware attack hits US healthcare firm Ketting Health

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

How to download print google calendar? | candid. Technology

Chinese hackers are using Google Calendar to target governments

Illustration: jmiks | shutterstock

Fake AI software installers are spreading ransomware

This is an image of router vs wifi

ASUS routers hacked in mass backdoor campaign

This is an image of dark web hacker security

Victoria’s Secret website taken down after cyber attack

This is an image of spyware malware cybersecurity privacy featured 31

Virgin Media’s O2 network exposed customer phone locations

This is an image of malware featured security

Hackers caught using fake AI websites to spread malware

>