CVE-2025-34026
published 2025-05-21CVE-2025-34026: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to…
PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
83.48%
99.6th percentile
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| versa-networks | concerto | — | — |
| versa-networks | concerto | — | — |
| versa-networks | concerto | >= 11.4.0 < 12.1.2 | 12.1.2 |
| versa | concerto | 12.1.2 – 12.2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
id: CVE-2025-34026
http:
- raw:
- |
GET /portalapi/actuator HTTP/1.1
Host: {{Hostname}}
Connection: X-Real-Ip
matchers-condition: and
matchers:
- type: word
part: body
words:
- heapdump
- type: word
part: header
words:
- EECP-CSRF-TOKEN- →Detect exploitation attempts by monitoring HTTP requests to /portalapi/actuator where the Connection header is set to 'X-Real-Ip' (used to suppress the X-Real-Ip header and bypass Traefik access controls) ↗
- →Alert on HTTP responses to /portalapi/actuator containing the string 'heapdump' in the body, indicating successful actuator endpoint access ↗
- →Alert on HTTP responses containing the 'EECP-CSRF-TOKEN' header, which confirms a successful hit against the Versa Concerto actuator endpoint ↗
- →Use Shodan query 'http.favicon.hash:-534530225' to identify internet-exposed Versa Concerto instances for asset discovery and attack surface reduction ↗
- →Drop or alert on inbound requests where 'Connection: X-Real-Ip' is present as a WAF/reverse proxy rule to block the authentication bypass technique ↗
- ·The vulnerability is rooted in Traefik reverse proxy misconfiguration — the X-Real-Ip header is improperly trusted to gate access to Spring Boot Actuator endpoints, meaning omitting it bypasses the access control entirely ↗
- ·Affected versions are Concerto 12.1.2 through 12.2.0; additional versions may also be vulnerable per NVD and CISA ↗
- ·Vendor states fixes were completed March 7, 2025 and a GA release was available April 16, 2025; organizations should verify patch status via the vendor security portal ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h2mm-jj4p-hm2p: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at att
ghsa_unreviewed·2025-05-22
CVE-2025-34026 [CRITICAL] CWE-287 GHSA-h2mm-jj4p-hm2p: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at att
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
VulnCheck
Versa Concerto Improper Authentication Vulnerability
vulncheck·2025·CVSS 9.2
CVE-2025-34026 [CRITICAL] CWE-288 Versa Concerto Improper Authentication Vulnerability
Versa Concerto Improper Authentication Vulnerability
Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.
Affected: Versa Concerto
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-34026; https://cyble.com/blog/week-in-vulnerabilities-ivanti-flagged-by-cyble/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-21&host_
CISA
Versa Concerto Improper Authentication Vulnerability
cisa·2026-01-22·CVSS 9.2
CVE-2025-34026 [CRITICAL] CWE-288 Versa Concerto Improper Authentication Vulnerability
Vulnerability: Versa Concerto Improper Authentication Vulnerability
Affected: Versa Concerto
Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e ; https://nvd.nist.gov/vuln/detail/CVE-2025-34026
Remediation Due Date: 2026-02-12
No detection rules found.
Nuclei
Versa Concerto Actuator Endpoint - Authentication Bypass
nuclei·CVSS 9.2
CVE-2025-34026 [CRITICAL] Versa Concerto Actuator Endpoint - Authentication Bypass
Versa Concerto Actuator Endpoint - Authentication Bypass
An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
Template:
id: CVE-2025-34026
info:
name: Versa Concerto Actuator Endpoint - Authentication Bypass
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header
Bleepingcomputer
CISA confirms active exploitation of four enterprise software bugs
blogs_bleepingcomputer·2026-01-23·CVSS 5.3
[MEDIUM] CISA confirms active exploitation of four enterprise software bugs
## CISA confirms active exploitation of four enterprise software bugs
## Bill Toulas
The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. warned of active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter.
The security issues have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that the agency has evidence that hackers are exploiting them in the wild.
One of the vulnerabilities is CVE-2025-31125 , a high-severity improper access control issue disclosed in March last year that can be exploited to expose non-allowed files when the server is explicitly exposed to the network.
The issue affects only exposed dev instances and has bee
Bleepingcomputer
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
blogs_bleepingcomputer·2025-05-22·CVSS 8.6
[HIGH] Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
## Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
## Bill Toulas
Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.
Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
It is used by large enterprises managing complex WAN environments, telecom operators providing managed SD-WAN/SASE services to customers, government agencies th
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rcehttps://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rcehttps://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2ehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34026
2025-05-21
Published
2026-01-22
Added to CISA KEV
Exploited in the wild