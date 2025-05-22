Three critical vulnerabilities have been reported in Versa Concerto, an orchestration platform for Versa Networks’ Software-Defined Wide Area Network (SD-WAN) and Secure Access Service Edge (SASE) solutions.

Versa has not released a patch for any of the vulnerabilities, despite being made aware of the issues in mid-February.

Three Critical Flaws in Versa Concerto

Vulnerability management firm ProjectDiscovery published an advisory on May 21 about three newly discovered vulnerabilities in Versa Concerto.

Detected in early February by three ProjectDiscovery researchers, Harsh Jaiswal, Rahul Maini and Parth Malhotra, these flaws were allocated three CVE identifiers on May 21 by VulnCheck:

CVE-2025-34025: a privilege escalation and container escape vulnerability (CVSSv4 rating: 8.6) caused by unsafe default mounting of host binary paths that allow the container to modify host paths

CVE-2025-34026: a Versa Concerto Actuator authentication bypass in the Traefik reverse proxy configuration (CVSSv4 rating: 9.2) that can lead to an information leak

CVE-2025-34027: an authentication bypass in the Traefik reverse proxy configuration (CVSSv4 rating: 10.0), allowing an attacker to achieve remote code execution via path loading manipulation

“These vulnerabilities, ranging from authentication bypasses to remote code execution and container escapes, highlight the potential for severe exploitation if left unaddressed,” noted the ProjectDiscovery report.

No Patches After Vulnerability Disclosure Deadline Passed

ProjectDiscovery informed the Versa Concerto team about the flaws on February 13, with a 90-day disclosure timeline.

On March 28, the Versa Concerto team informed ProjectDiscovery that hotfixes and patches would be released on April 7.

ProjectDiscovery stated that it did not find any evidence of those patches, despite contacting the Versa Concerto team multiple times in April.

The 90-day disclosure timeline ended on May 13. The ProjectDiscovery team waited a few more days to publish its analysis but decided to proceed and publish on May 21.

It also notified VulnCheck, a CVE Numbering Authority (CNA), which publicly disclosed the three vulnerabilities.

Infosecurity contacted Versa Networks for comment has not responded at the time of writing.