CVE-2025-34027

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

CVSS

No CVSS.

References

Link	Resource
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce

Configurations

No configuration.

History

22 May 2025, 15:16

Type	Values Removed	Values Added
References	~~() https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce -~~	() https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce -
Summary		(es) La plataforma de orquestación SD-WAN Versa Concerto es vulnerable a una omisión de autenticación en la configuración del proxy inverso Traefik, lo que permite a un atacante acceder a los endpoints administrativos. El endpoint de carga de Spack puede aprovecharse para una escritura TOCTOU (Tiempo de Verificación a Tiempo de Uso) en combinación con una condición de ejecución para lograr la ejecución remota de código mediante la manipulación de la carga de rutas, lo que permite que un agente no autenticado logre la ejecución remota de código (RCE). Se sabe que este problema afecta a Concerto desde la versión 12.1.2 hasta la 12.2.0. Otras versiones podrían ser vulnerables.

21 May 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 22:15

Updated : 2025-05-23 15:55

NVD link : CVE-2025-34027

Mitre link : CVE-2025-34027

CVE.ORG link : CVE-2025-34027

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2025-34027", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-21T22:15:50.680", "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "source": "disclosure@vulncheck.com"}, {"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}, {"lang": "es", "value": "La plataforma de orquestaci\u00f3n SD-WAN Versa Concerto es vulnerable a una omisi\u00f3n de autenticaci\u00f3n en la configuraci\u00f3n del proxy inverso Traefik, lo que permite a un atacante acceder a los endpoints administrativos. El endpoint de carga de Spack puede aprovecharse para una escritura TOCTOU (Tiempo de Verificaci\u00f3n a Tiempo de Uso) en combinaci\u00f3n con una condici\u00f3n de ejecuci\u00f3n para lograr la ejecuci\u00f3n remota de c\u00f3digo mediante la manipulaci\u00f3n de la carga de rutas, lo que permite que un agente no autenticado logre la ejecuci\u00f3n remota de c\u00f3digo (RCE). Se sabe que este problema afecta a Concerto desde la versi\u00f3n 12.1.2 hasta la 12.2.0. Otras versiones podr\u00edan ser vulnerables."}], "lastModified": "2025-05-23T15:55:02.040", "sourceIdentifier": "disclosure@vulncheck.com"}