{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-34025", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.545Z", "datePublished": "2025-05-21T22:11:32.081Z", "dateUpdated": "2025-05-28T03:56:02.808Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["web-service Container"], "product": "Concerto", "vendor": "Versa", "versions": [{"lessThanOrEqual": "12.2.0", "status": "affected", "version": "12.1.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "sponsor", "value": "ProjectDiscovery"}, {"lang": "en", "type": "finder", "value": "Harsh Jaiswal"}, {"lang": "en", "type": "finder", "value": "Rahul Maini"}, {"lang": "en", "type": "finder", "value": "Parth Malhotra"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.<p>This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.</p>"}], "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}], "impacts": [{"capecId": "CAPEC-480", "descriptions": [{"lang": "en", "value": "CAPEC-480 Escaping Virtualization"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-05-21T23:08:42.858Z"}, "references": [{"tags": ["exploit", "mitigation"], "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}], "source": {"discovery": "UNKNOWN"}, "title": "Versa Concerto Insecure Docker Mount Container Escape", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-27T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-34025"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T03:56:02.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-22T15:53:20.426384Z"}}}], "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-22T15:53:41.586Z"}}], "cna": {"title": "Versa Concerto Insecure Docker Mount Container Escape", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "sponsor", "value": "ProjectDiscovery"}, {"lang": "en", "type": "finder", "value": "Harsh Jaiswal"}, {"lang": "en", "type": "finder", "value": "Rahul Maini"}, {"lang": "en", "type": "finder", "value": "Parth Malhotra"}], "impacts": [{"capecId": "CAPEC-480", "descriptions": [{"lang": "en", "value": "CAPEC-480 Escaping Virtualization"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Versa", "modules": ["web-service Container"], "product": "Concerto", "versions": [{"status": "affected", "version": "12.1.2", "versionType": "semver", "lessThanOrEqual": "12.2.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit", "mitigation"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.", "supportingMedia": [{"type": "text/html", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.<p>This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-05-21T23:08:42.858Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34025", "state": "PUBLISHED", "dateUpdated": "2025-05-28T03:56:02.808Z", "dateReserved": "2025-04-15T19:15:22.545Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-05-21T22:11:32.081Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an privileges escalation and container escape vulnerability caused by unsafe default mounting of host binary paths that allow the container to modify host paths. The escape can be used to trigger remote code execution or direct host access depending on the host operating system configuration.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}, {"lang": "es", "value": "La plataforma de orquestaci\u00f3n SD-WAN Versa Concerto es vulnerable a una vulnerabilidad de escalada de privilegios y escape de contenedor causada por el montaje predeterminado inseguro de rutas binarias del host, lo que permite que el contenedor modifique dichas rutas. El escape puede usarse para activar la ejecuci\u00f3n remota de c\u00f3digo o el acceso directo al host, seg\u00fan la configuraci\u00f3n del sistema operativo del host. Se sabe que este problema afecta a Concerto desde la versi\u00f3n 12.1.2 hasta la 12.2.0. Otras versiones podr\u00edan ser vulnerables."}], "id": "CVE-2025-34025", "lastModified": "2025-05-23T15:55:02.040", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-05-21T23:15:54.827", "references": [{"source": "disclosure@vulncheck.com", "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}