Versa Concerto 0-Day Authentication Bypass Vulnerability Allows Remote Code Execution
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Significant vulnerabilities were uncovered in Versa Concerto, a widely deployed SD-WAN orchestration platform used by major enterprises and government entities.
The flaws include authentication bypass vulnerabilities that can be chained to achieve remote code execution and complete system compromise.
Despite responsible disclosure efforts beginning in February 2025, these critical issues remain unpatched, leaving organizations vulnerable to attack.
The Versa Concerto platform, which provides network security and SD-WAN orchestration capabilities, contains a severe Time-of-Check to Time-of-Use (TOCTOU) vulnerability in its authentication mechanism.
The flaw stems from inconsistent URL processing between the authentication check and controller handling.
Authentication Bypass Chain Leads to System Compromise
“During the authentication check, the REQUEST_URI undergoes URL decoding. However, the URL is processed without decoding to the controllers,” ProjectDiscovery researchers shared with Cyber Security News.
This inconsistency allows attackers to craft special URLs that bypass authentication controls.
The exploit leverages semicolons and URL-encoded slashes in requests. For example, sending a request to /portalapi/v1/users/username/admin;%2fv1%2fping causes the authentication filter to misidentify it as an excluded endpoint.
Organizations using Versa Concerto for their network infrastructure management are at significant risk, as these vulnerabilities have been assigned a CVSS score of 10.0, indicating critical severity.
Once authentication is bypassed, attackers can exploit an arbitrary file write vulnerability in the /portalapi/v1/package/spack/upload endpoint.
Although exception handlers quickly delete uploaded files, researchers demonstrated a race condition that allows for successful exploitation.
The attack chain involves:
Additional vulnerabilities include a Spring Boot Actuator authentication bypass (CVE-2025-34026) that can be triggered with this HTTP request:
This exploit leverages a vulnerability in Traefik (CVE-2024-45410) that allows manipulation of HTTP headers.
Unpatched Status and Mitigation Recommendations
The researchers followed responsible disclosure practices, initially reporting the vulnerabilities to Versa on February 13, 2025.
Despite acknowledgement and promises of patches, no fixes were delivered by the 90-day disclosure deadline on May 13, 2025.
VulnCheck has assigned three CVEs for the issues:
Until patches are available, organizations should implement temporary mitigations:
“Despite our efforts to responsibly disclose these issues to the Versa team, including multiple follow-ups over the past 90 days, we have not received any response or indication of a forthcoming patch,” the researchers noted.
Organizations using Versa Concerto should take immediate action to implement these mitigations while awaiting official patches.
The severity of these vulnerabilities, combined with their unpatched status, makes this an urgent security concern for affected enterprises.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Versa Concerto 0-Day Authentication Bypass Vulnerability Allows Remote Code Execution
Author: KaaviyaSignificant vulnerabilities were uncovered in Versa Concerto, a widely deployed SD-WAN orchestration platform used by major enterprises and government entities.
The flaws include authentication bypass vulnerabilities that can be chained to achieve remote code execution and complete system compromise.
Despite responsible disclosure efforts beginning in February 2025, these critical issues remain unpatched, leaving organizations vulnerable to attack.
The Versa Concerto platform, which provides network security and SD-WAN orchestration capabilities, contains a severe Time-of-Check to Time-of-Use (TOCTOU) vulnerability in its authentication mechanism.
The flaw stems from inconsistent URL processing between the authentication check and controller handling.
Authentication Bypass Chain Leads to System Compromise
“During the authentication check, the REQUEST_URI undergoes URL decoding. However, the URL is processed without decoding to the controllers,” ProjectDiscovery researchers shared with Cyber Security News.
This inconsistency allows attackers to craft special URLs that bypass authentication controls.
The exploit leverages semicolons and URL-encoded slashes in requests. For example, sending a request to /portalapi/v1/users/username/admin;%2fv1%2fping causes the authentication filter to misidentify it as an excluded endpoint.
Organizations using Versa Concerto for their network infrastructure management are at significant risk, as these vulnerabilities have been assigned a CVSS score of 10.0, indicating critical severity.
Once authentication is bypassed, attackers can exploit an arbitrary file write vulnerability in the /portalapi/v1/package/spack/upload endpoint.
Although exception handlers quickly delete uploaded files, researchers demonstrated a race condition that allows for successful exploitation.
The attack chain involves:
- Using the authentication bypass to access restricted endpoints.
- Exploiting file upload functionality to write to sensitive locations.
- Overwriting ../../../../../../etc/ld.so.preload with a path to a malicious shared object.
- Simultaneously uploading /tmp/hook.so containing reverse shell code.
Additional vulnerabilities include a Spring Boot Actuator authentication bypass (CVE-2025-34026) that can be triggered with this HTTP request:
This exploit leverages a vulnerability in Traefik (CVE-2024-45410) that allows manipulation of HTTP headers.
Unpatched Status and Mitigation Recommendations
The researchers followed responsible disclosure practices, initially reporting the vulnerabilities to Versa on February 13, 2025.
Despite acknowledgement and promises of patches, no fixes were delivered by the 90-day disclosure deadline on May 13, 2025.
VulnCheck has assigned three CVEs for the issues:
- CVE-2025-34027: Authentication Bypass → File Write → RCE.
- CVE-2025-34026: Actuator Authentication Bypass → Information Leak.
- CVE-2025-34025: Insecure Docker Mount → Container Escape.
Until patches are available, organizations should implement temporary mitigations:
- Block requests containing semicolons in URL paths.
- Drop requests with Connection headers containing “X-Real-IP” values.
“Despite our efforts to responsibly disclose these issues to the Versa team, including multiple follow-ups over the past 90 days, we have not received any response or indication of a forthcoming patch,” the researchers noted.
Organizations using Versa Concerto should take immediate action to implement these mitigations while awaiting official patches.
The severity of these vulnerabilities, combined with their unpatched status, makes this an urgent security concern for affected enterprises.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
