cbcvebase.
CVE-2025-34026
published 2025-05-21

CVE-2025-34026: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to…

PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
83.48%
99.6th percentile
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

Affected

4 ranges
VendorProductVersion rangeFixed in
versa-networksconcerto
versa-networksconcerto
versa-networksconcerto>= 11.4.0 < 12.1.212.1.2
versaconcerto12.1.2 – 12.2.0

Detection & IOCsextracted from sources · hover to see the quote

url/portalapi/actuator
cookieEECP-CSRF-TOKEN
otherhttp.favicon.hash:-534530225
sigma
id: CVE-2025-34026
http:
- raw:
  - |
    GET /portalapi/actuator HTTP/1.1
    Host: {{Hostname}}
    Connection: X-Real-Ip
matchers-condition: and
matchers:
- type: word
  part: body
  words:
  - heapdump
- type: word
  part: header
  words:
  - EECP-CSRF-TOKEN
  • Detect exploitation attempts by monitoring HTTP requests to /portalapi/actuator where the Connection header is set to 'X-Real-Ip' (used to suppress the X-Real-Ip header and bypass Traefik access controls)
  • Alert on HTTP responses to /portalapi/actuator containing the string 'heapdump' in the body, indicating successful actuator endpoint access
  • Alert on HTTP responses containing the 'EECP-CSRF-TOKEN' header, which confirms a successful hit against the Versa Concerto actuator endpoint
  • Use Shodan query 'http.favicon.hash:-534530225' to identify internet-exposed Versa Concerto instances for asset discovery and attack surface reduction
  • Drop or alert on inbound requests where 'Connection: X-Real-Ip' is present as a WAF/reverse proxy rule to block the authentication bypass technique
  • ·The vulnerability is rooted in Traefik reverse proxy misconfiguration — the X-Real-Ip header is improperly trusted to gate access to Spring Boot Actuator endpoints, meaning omitting it bypasses the access control entirely
  • ·Affected versions are Concerto 12.1.2 through 12.2.0; additional versions may also be vulnerable per NVD and CISA
  • ·Vendor states fixes were completed March 7, 2025 and a GA release was available April 16, 2025; organizations should verify patch status via the vendor security portal

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.