Cybersecurity researchers have identified multiple critical security vulnerabilities in the Versa Concerto network security and SD-WAN orchestration platform. These flaws, if exploited, could allow attackers to gain complete control over affected systems. Despite responsible disclosure on February 13, 2025, these vulnerabilities remain unpatched, leading to a public disclosure after the 90-day deadline.
The vulnerabilities, discovered by ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra, are as follows:
1. CVE-2025-34025 (CVSS score: 8.6): This vulnerability involves privilege escalation and Docker container escape due to unsafe default mounting of host binary paths. An attacker could exploit this to execute code on the underlying host machine.
2. CVE-2025-34026 (CVSS score: 9.2): An authentication bypass in the Traefik reverse proxy configuration allows unauthorized access to administrative endpoints. This could be further exploited to access heap dumps and trace logs via an internal Spring Boot Actuator endpoint.
3. CVE-2025-34027 (CVSS score: 10.0): Another authentication bypass in the Traefik reverse proxy configuration enables access to administrative endpoints. This can be exploited to achieve remote code execution by writing arbitrary files through the package upload endpoint (/portalapi/v1/package/spack/upload).
Exploiting CVE-2025-34027 involves leveraging a race condition to write malicious files to disk, leading to remote code execution using LD_PRELOAD and a reverse shell. The researchers detailed their approach:
Our approach involved overwriting ../../../../../../etc/ld.so.preload with a path pointing to /tmp/hook.so. Simultaneously, we uploaded /tmp/hook.so, which contained a compiled C binary for a reverse shell. Since our request triggered two file write operations, we leveraged this to ensure that both files were written within the same request.
They further explained:
Once these files were successfully written, any command execution on the system while both persisted would result in the execution of /tmp/hook.so, thereby giving us a reverse shell.
In the absence of official patches, users are advised to implement the following mitigations:
– Block Semicolons in URL Paths: Preventing semicolons in URL paths can help mitigate certain attack vectors.
– Drop Requests with Specific Headers: Configure systems to drop requests where the Connection header contains the value X-Real-Ip.
– Monitor Network Traffic and Logs: Regularly review network traffic and system logs for any suspicious activity that may indicate exploitation attempts.
The Hacker News has reached out to Versa Networks for comment and will update the story upon receiving a response.
