On 21 May 2025, ProjectDiscovery published technical details for multiple vulnerabilities they discovered in Versa Concerto, including authentication bypasses, remote code execution (RCE), and container escapes. Versa Concerto is a centralised management platform used to manage Versa’s SD-WAN and SASE services. It is a Spring Boot-based application deployed via Docker containers and routed through Traefik. Although the vulnerabilities were responsibly disclosed to Versa Networks, they remain unpatched. ProjectDiscovery published their findings to raise awareness given the absence of a fix.
- CVE-2025-34027 – A remote threat actor can exploit this maximum-severity vulnerability in the Traefik reverse proxy configuration to bypass authentication and access administrative endpoints. The flaw arises from improper URL decoding, and if a race condition is successful, remote code execution (RCE) can be achieved through malicious file writes.
- CVE-2025-34026 – A critical-severity authentication bypass vulnerability in the Traefik reverse proxy configuration allows a remote threat actor to access Spring Boot Actuator endpoints, including heap dumps and logs. The flaw stems from improper handling of the X-Real-IP header.
- CVE-2025-34025 – A high-severity container escape vulnerability that arises from insecure mounting in a misconfigured Docker setup, which can lead to full host compromise.
With technical details now public, threat actors may begin targeting these vulnerabilities soon. According to open-source reporting, Versa vulnerabilities have only been targeted once before—in 2024, when the Chinese-nexus threat actor Volt Typhoon exploited the zero-day CVE-2024-39717 in Versa Director to compromise service providers and the information technology sector for credential theft.
Recommendations
Remove Versa Concerto Instances Exposed on the Public Internet
If you do not have a specific reason to expose Versa Concerto publicly, disable or remove its public internet access—at a minimum, consider removing it from public exposure until official fixes are available to reduce the risk of exploitation.
Implement Workarounds Until Fixes are Available
Due to no official patches currently available, the security researchers at ProjectDiscovery recommended the following workarounds to mitigate the risk posed by the vulnerabilities outlined in this bulletin.
- Block Semicolons in URL Paths: Deploy a rule to reject inbound requests with semicolons (;) in the URL path. According to the researchers, this mitigates the potential abuse of parsing discrepancies that could enable unauthorised access.
- Drop Requests with Specific Connection Headers: Configure your reverse proxy or WAF to block requests where the Connection header includes X-Real-Ip (case-insensitive). According to the researchers, this reduces the risk of unauthorised access to internal endpoints caused by header manipulation.
