CVE-2025-34027
published 2025-05-21CVE-2025-34027: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to…
PriorityP193critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVALSCHSIHSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
35.99%
98.3th percentile
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| versa | concerto | 12.1.2 – 12.2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts by looking for semicolon-encoded path segments in URLs targeting Versa Concerto API endpoints (e.g., /portalapi/v1/roles/option;%2f...) ↗
- →Successful exploitation returns 'ENTERPRISE_ADMINISTRATOR' in the response body — alert on this string appearing in unauthenticated API responses ↗
- →Successful exploitation returns the 'EECP-CSRF-TOKEN' header in the response — monitor for this header on unauthenticated requests ↗
- →Block or alert on semicolons in URLs at the WAF/reverse proxy layer as a mitigation against the URL decoding inconsistency bypass ↗
- →Drop or alert on requests containing 'Connection: X-Real-Ip' header to block actuator access abuse (related CVE-2025-34026 chaining vector) ↗
- →Check Point IPS blade signature 'Versa Concerto Authentication Bypass' provides detection coverage for this CVE ↗
- ·Affected versions are Versa Concerto 12.1.2 through 12.2.0; additional versions outside this range may also be vulnerable ↗
- ·The vulnerability stems from URL decoding inconsistencies in the Traefik reverse proxy configuration; the bypass uses semicolon-encoded path segments to reach protected endpoints ↗
- ·RCE is achieved via a TOCTOU race condition on the Spack upload endpoint combined with ld.so.preload path loading manipulation — exploitation requires chaining the auth bypass with the race condition ↗
- ·Versa Networks states hotfixes were completed March 7, 2025 and a GA release was made available April 16, 2025; no confirmed in-the-wild exploitation reported as of disclosure ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-96gf-3rqf-c8m9: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at att
ghsa_unreviewed·2025-05-22
CVE-2025-34027 [CRITICAL] CWE-287 GHSA-96gf-3rqf-c8m9: The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at att
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
VulnCheck
versa concerto Time-of-check Time-of-use (TOCTOU) Race Condition
vulncheck·2025·CVSS 10.0
CVE-2025-34027 [CRITICAL] versa concerto Time-of-check Time-of-use (TOCTOU) Race Condition
versa concerto Time-of-check Time-of-use (TOCTOU) Race Condition
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
Affected: Versa Networks Versa Concerto SD-WAN Orchestration Platform
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of
No detection rules found.
Nuclei
Versa Concerto API Path Based - Authentication Bypass
nuclei·CVSS 10.0
CVE-2025-34027 [CRITICAL] Versa Concerto API Path Based - Authentication Bypass
Versa Concerto API Path Based - Authentication Bypass
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
Template:
id: CVE-2025-34027
info:
name: Versa Concerto API Path Based - Authentication Bypass
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
impact: |
Attackers
Checkpoint
26th May – Threat Intelligence Report
blogs_checkpoint·2025-05-26
CVE-2025-4918 26th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 26th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 26th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cellcom, a Wisconsin-based wireless provider, has been impacted by a cyberattack that resulted in widespread outages of voice and SMS services beginning on May 14, 2025. The incident disrupted communication for customers across Wisconsin and Upper Michigan, leaving them unable to make phone calls or send text messages. No threat
Bleepingcomputer
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
blogs_bleepingcomputer·2025-05-22·CVSS 8.6
[HIGH] Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
## Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
## Bill Toulas
Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.
Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
It is used by large enterprises managing complex WAN environments, telecom operators providing managed SD-WAN/SASE services to customers, government agencies th
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-05-21
Published
Exploited in the wild