CVE-2025-34026 - Vulnerability Details - OpenCVE

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce

History

Thu, 22 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 May 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description		The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
Title		Versa Concerto Actuator Authentication Bypass Information Leak
Weaknesses		CWE-287
References		https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-05-21T22:04:58.832Z

Updated: 2025-05-22T15:22:26.869Z

Reserved: 2025-04-15T19:15:22.545Z

Link: CVE-2025-34026

Vulnrichment

Updated: 2025-05-22T15:22:12.724Z

NVD

Status : Awaiting Analysis

Published: 2025-05-21T22:15:50.510

Modified: 2025-05-23T15:55:02.040

Link: CVE-2025-34026

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-34026", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.545Z", "datePublished": "2025-05-21T22:04:58.832Z", "dateUpdated": "2025-05-22T15:22:26.869Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["Traefik"], "product": "Concerto", "vendor": "Versa", "versions": [{"lessThanOrEqual": "12.2.0", "status": "affected", "version": "12.1.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "sponsor", "value": "ProjectDiscovery"}, {"lang": "en", "type": "finder", "value": "Harsh Jaiswal"}, {"lang": "en", "type": "finder", "value": "Rahul Maini"}, {"lang": "en", "type": "finder", "value": "Parth Malhotra"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.<p>This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.</p>"}], "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.2, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-05-21T22:04:58.832Z"}, "references": [{"tags": ["exploit", "mitigation"], "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}], "source": {"discovery": "UNKNOWN"}, "title": "Versa Concerto Actuator Authentication Bypass Information Leak", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-22T15:21:53.580126Z", "id": "CVE-2025-34026", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-22T15:22:26.869Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34026", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-22T15:21:53.580126Z"}}}], "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-22T15:22:12.724Z"}}], "cna": {"title": "Versa Concerto Actuator Authentication Bypass Information Leak", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "sponsor", "value": "ProjectDiscovery"}, {"lang": "en", "type": "finder", "value": "Harsh Jaiswal"}, {"lang": "en", "type": "finder", "value": "Rahul Maini"}, {"lang": "en", "type": "finder", "value": "Parth Malhotra"}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Versa", "modules": ["Traefik"], "product": "Concerto", "versions": [{"status": "affected", "version": "12.1.2", "versionType": "semver", "lessThanOrEqual": "12.2.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit", "mitigation"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.", "supportingMedia": [{"type": "text/html", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.<p>This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-05-21T22:04:58.832Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34026", "state": "PUBLISHED", "dateUpdated": "2025-05-22T15:22:26.869Z", "dateReserved": "2025-04-15T19:15:22.545Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-05-21T22:04:58.832Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}, {"lang": "es", "value": "La plataforma de orquestaci\u00f3n SD-WAN Versa Concerto es vulnerable a una omisi\u00f3n de autenticaci\u00f3n en la configuraci\u00f3n del proxy inverso Traefik, lo que permite a un atacante acceder a los endpoints administrativos. El endpoint interno del Actuador puede utilizarse para acceder a volcados de pila y registros de seguimiento. Se sabe que este problema afecta a Concerto desde la versi\u00f3n 12.1.2 hasta la 12.2.0. Otras versiones podr\u00edan ser vulnerables."}], "id": "CVE-2025-34026", "lastModified": "2025-05-23T15:55:02.040", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-05-21T22:15:50.510", "references": [{"source": "disclosure@vulncheck.com", "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}