CVE-2025-34026
KEVVersa Concerto Improper Authentication Vulnerability
9.2
CriticalPublished:
Last updated:
Source:disclosure@vulncheck.com
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- None
- Availability (Vulnerable)
- None
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- Low
- Availability (Subsequent)
- None
Description
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
References
disclosure@vulncheck.com
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce134c704f-9b21-4f2e-91b3-4a467353bcc0
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce134c704f-9b21-4f2e-91b3-4a467353bcc0
https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34026