Three critical vulnerabilities have been reported in Versa Concerto, an orchestration platform for Versa Networks’ Software-Defined Wide Area Network (SD-WAN) and Secure Access Service Edge (SASE) solutions.
Versa has not publicly released a patch for any of the vulnerabilities, despite being made aware of the issues in mid-February.
Three Critical Flaws in Versa Concerto
Vulnerability management firm ProjectDiscovery published an advisory on May 21 about three newly discovered vulnerabilities in Versa Concerto.
Detected in early February by three ProjectDiscovery researchers, Harsh Jaiswal, Rahul Maini and Parth Malhotra, these flaws were allocated three CVE identifiers on May 21 by VulnCheck:
- CVE-2025-34025: a privilege escalation and container escape vulnerability (CVSSv4 rating: 8.6) caused by unsafe default mounting of host binary paths that allow the container to modify host paths
- CVE-2025-34026: a Versa Concerto Actuator authentication bypass in the Traefik reverse proxy configuration (CVSSv4 rating: 9.2) that can lead to an information leak
- CVE-2025-34027: an authentication bypass in the Traefik reverse proxy configuration (CVSSv4 rating: 10.0), allowing an attacker to achieve remote code execution via path loading manipulation
“These vulnerabilities, ranging from authentication bypasses to remote code execution and container escapes, highlight the potential for severe exploitation if left unaddressed,” noted the ProjectDiscovery report.
No Patches After Vulnerability Disclosure Deadline Passed
ProjectDiscovery informed the Versa Concerto team about the flaws on February 13, with a 90-day disclosure timeline.
On March 28, the Versa Concerto team informed ProjectDiscovery that hotfixes and patches would be released on April 7.
ProjectDiscovery stated that it did not find any evidence of those patches, despite contacting the Versa Concerto team multiple times in April.
The 90-day disclosure timeline ended on May 13. The ProjectDiscovery team waited a few more days to publish its analysis but decided to proceed and publish on May 21.
It also notified VulnCheck, a CVE Numbering Authority (CNA), which publicly disclosed the three vulnerabilities.
May 23 Update: Customers-Only Hotfixes
Contacted by Infosecurity, Versa Networks said it developed and validated hotfixes for the three vulnerabilities, which were made available to customers on March 7 but not disclosed to the public. Additionally, a software release containing these remediations was made available to all customers on April 16, 2025..
"All affected customers were notified through established security and support channels with guidance on how to apply the recommended updates. Many customers have already upgraded to the April 16 release, though we recognize some deployments may still be pending," said a Versa spokesperson.
The company also told Infosecurity it hasn't seen any indication that these vulnerabilities have been exploited in the wild, and said no customer impact has been reported.
This article was updated on May 23, 2025 to add Versa's response.