cbcvebase.
CVE-2025-34027
published 2025-05-21

CVE-2025-34027: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to…

PriorityP193critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVALSCHSIHSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
35.99%
98.3th percentile
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

Affected

1 ranges
VendorProductVersion rangeFixed in
versaconcerto12.1.2 – 12.2.0

Detection & IOCsextracted from sources · hover to see the quote

urlGET /portalapi/v1/roles/option;%2fv1%2fping HTTP/1.1
path/portalapi/v1/roles/option;%2fv1%2fping
cookieEECP-CSRF-TOKEN
  • Detect authentication bypass attempts by looking for semicolon-encoded path segments in URLs targeting Versa Concerto API endpoints (e.g., /portalapi/v1/roles/option;%2f...)
  • Successful exploitation returns 'ENTERPRISE_ADMINISTRATOR' in the response body — alert on this string appearing in unauthenticated API responses
  • Successful exploitation returns the 'EECP-CSRF-TOKEN' header in the response — monitor for this header on unauthenticated requests
  • Block or alert on semicolons in URLs at the WAF/reverse proxy layer as a mitigation against the URL decoding inconsistency bypass
  • Drop or alert on requests containing 'Connection: X-Real-Ip' header to block actuator access abuse (related CVE-2025-34026 chaining vector)
  • Check Point IPS blade signature 'Versa Concerto Authentication Bypass' provides detection coverage for this CVE
  • ·Affected versions are Versa Concerto 12.1.2 through 12.2.0; additional versions outside this range may also be vulnerable
  • ·The vulnerability stems from URL decoding inconsistencies in the Traefik reverse proxy configuration; the bypass uses semicolon-encoded path segments to reach protected endpoints
  • ·RCE is achieved via a TOCTOU race condition on the Spack upload endpoint combined with ld.so.preload path loading manipulation — exploitation requires chaining the auth bypass with the race condition
  • ·Versa Networks states hotfixes were completed March 7, 2025 and a GA release was made available April 16, 2025; no confirmed in-the-wild exploitation reported as of disclosure

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.