Multiple security flaws reported in Versa Concerto platform, two critical

Cybersecurity researchers from ProjectDiscovery are reporting multiple critical security vulnerabilities in Versa Concerto, a network security and SD-WAN orchestration platform used by large enterprises, service providers, and government entities. 

The research revealed vulnerabilities in Versa Concerto's Spring Boot-based application deployed via Docker containers and routed through Traefik:

• CVE-2025-34027 (CVSS score 10.0) - An authentication bypass vulnerability caused by URL decoding inconsistencies in the Traefik reverse proxy configuration. During authentication checks, the REQUEST_URI undergoes URL decoding, but the URL is processed without decoding to the controllers. This inconsistency allows attackers to craft malicious URLs containing semicolons and URL-encoded slashes that bypass authentication controls. Attackers can then access a package upload endpoint to write arbitrary files to the system and achieve remote code execution using LD_PRELOAD techniques and reverse shell payloads.
• CVE-2025-34026 (CVSS score 9.2) - An authentication bypass vulnerability in the Traefik reverse proxy configuration affecting Spring Boot Actuator endpoints. leverages a hop-by-hop header handling vulnerability in Traefik that allows attackers to manipulate the X-Real-Ip header. By setting the Connection header to X-Real-IP, attackers can instruct Traefik to drop the X-Real-Ip header before forwarding requests, bypassing access controls for Spring Boot Actuator endpoints. This grants unauthorized access to sensitive administrative functionality and can expose plain text credentials through heap dumps and logged session tokens.
• CVE-2025-34025 (CVSS score 8.6) - A privilege escalation and Docker container escape vulnerability caused by unsafe default mounting of host binary paths that allow containers to modify host system files. It's caused by a misconfiguration where the core-service Docker container has /usr/bin/ and /bin/ directories directly mapped to the host's filesystem. Attackers with root access inside the container can overwrite frequently used system binaries with malicious shell scripts. When host system cron jobs execute these compromised binaries, attackers gain reverse shell access to the underlying host system.

ProjectDiscovery responsibly disclosed these vulnerabilities to Versa Networks on February 13, 2025, with a 90-day disclosure timeline. The vendor initially acknowledged the issues and requested additional information, stating they were eager to patch the vulnerabilities. On March 28, 2025, Versa Networks indicated that hotfixes and patches would be released on April 7, 2025. However, despite multiple follow-up communications in April and May 2025, no patches have been released, and the vendor has stopped responding to disclosure communications. 

The 90-day disclosure deadline ended on May 13, 2025, and ProjectDiscovery published their findings publicly on May 21, 2025.

Until official patches are available, organizations using Versa Concerto can implement temporary mitigation measures at the reverse proxy or Web Application Firewall (WAF) level. These include blocking any incoming requests containing semicolons in the URL path to prevent exploitation of the URL decoding inconsistency, and configuring systems to drop requests where the Connection header contains the value X-Real-Ip to mitigate unauthorized access to Spring Boot Actuator endpoints. Organizations should also monitor network traffic and logs for suspicious activity while implementing these interim protections.