9.2
CVE-2025-34026
- EPSS 83.38%
- Veröffentlicht 21.05.2025 22:15:50
- Zuletzt bearbeitet 23.01.2026 18:39:24
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
LoginVersa Concerto Actuator Authentication Bypass Information Leak
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Versa-networks ≫ Concerto Version >= 11.4.0 < 12.1.2
Versa-networks ≫ Concerto Version12.1.2 Update-
Versa-networks ≫ Concerto Version12.2.0
22.01.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog
Versa Concerto Improper Authentication Vulnerability
SchwachstelleVersa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.
BeschreibungApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 83.38% | 0.996 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| disclosure@vulncheck.com | 9.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-288 Authentication Bypass Using an Alternate Path or Channel
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34026
https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e