Cybersecurity researchers have revealed several critical security vulnerabilities affecting Versa Compato Network Security and SD-WAN orchestration platforms that can be exploited to control instances of sensitivity.
It should be noted that despite responsible disclosure on February 13, 2025, the identified drawbacks do not remain, despite prompting the issue to be published after the 90-day deadline.
“These vulnerabilities could allow attackers to compromise both their applications and the underlying host system when chained,” Project Decker researchers Harsh Jaiswal, Rahul Maini and Parth Malhotra said in a report shared with Hacker News.
The following list of security flaws:
- CVE-2025-34025 (CVSS score: 8.6) – Privilege escalation and Docker containers can be exploited to acquire code execution on the underlying host machine, caused by an unsafe default mount of the host binary path.
- CVE-2025-34026 (CVSS score: 9.2) – Authentication bypass vulnerability in Traefik Reverse Proxy configuration that allows attackers to access management endpoints. This allows access to heap dumps and trace logs by exploiting the internal spring boot actuator endpoint via the internal spring boot actuator endpoint via the CVE-2024-45410.
- CVE-2025-34027 (CVSS score: 10.0) – Authentication bypass vulnerability in Traefik Reverse Proxy configuration that allows attackers to access management endpoints. This allows remote code execution to take advantage of endpoints associated with uploading packages (“/portalapi/v1/v1/package/spack/spack/upload”).
The successful exploitation of CVE-2025-34027 allows attackers to take advantage of the race conditions to write malicious files to disk, and ultimately use LD_PRELOAD and a reverse shell to perform remote code execution.
“Our approach included overriding. ../../../../etc/ld.so.preload has a path pointing to /tmp/hook.so,” the researcher said. “At the same time, I uploaded /tmp/hook.so containing the C binary compiled for the reverse shell. The request triggered two file write operations, so I leveraged this so that both files were written within the same request.”
“If these files are written successfully, the command execution on the system will run /tmp/hook.so while both persistent command executions, which will result in a reverse shell.”
Without official fixes, users are advised to block semicolons in the URL path and block drop requests when the connection header contains the value x-real-ip. It is also recommended to monitor network traffic and logs for suspicious activity.
update
In a statement shared with Hacker News, the Versa network said that the issue was addressed in Concerto version 12.2.1 GA, released on April 16, 2025. The complete answer from the company is below:
Versa is committed to maintaining the highest standards of security and transparency across the platform.
On February 13, 2025, three vulnerabilities were identified and identified on the Concerto Software Platform. As part of a standard security response process, the fixes completed on March 7, 2025 have been developed and verified for use by customers. Generally available (GA) software releases, including these repairs, were made available to all customers on April 16, 2025.
Many customers have already upgraded to the April 16 release, but they are aware that some deployments may still be pending. More information about affected releases and mitigation procedures is posted only for access to our customers.
There is no indication that these vulnerabilities have been exploited in the wild, and no customer impact has been reported. All affected customers were notified through established security and support channels with guidance on how to apply recommended updates.
Following its responsible disclosure practices, Versa has adopted a proactive approach to identify, mitigating, and communicating potential risks. Security is the foundation of our platform and we continue to invest in continuous surveillance, rapid response and customer education as part of our commitment to trust and protection.
(The story was updated after publication to include responses from the Versa network regarding patch information.)
