Two-Factor Authentication Vulnerability in Versa Director SD-WAN Platform
CVE-2025-23168
What is CVE-2025-23168?
The Versa Director SD-WAN orchestration platform contains a vulnerability in its implementation of Two-Factor Authentication (2FA), specifically relying on One-Time Passcodes (OTPs) delivered through SMS or email. This flaw permits malicious actors, who possess valid user credentials, to hijack OTP delivery to their own devices. The lack of OTP invalidation after use, alongside inadequate attempts restriction for login, further exposes users to risks. Additionally, the generation of OTP values from a limited keyspace makes brute-force attacks conceivable. While there have been no confirmed exploitation instances, security researchers have disclosed proof of concept, highlighting the urgency of applying the latest software updates as recommended by Versa Networks.