Authentication Bypass Vulnerability in Versa Concerto SD-WAN Orchestration Platform
CVE-2025-34026

9.2CRITICAL

Key Information:

Vendor: Versa
Status: Concerto
Vendor: CVE Published:; 21 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34026?

The Versa Concerto SD-WAN orchestration platform contains a vulnerability that allows an attacker to bypass authentication due to a misconfiguration in the Traefik reverse proxy. This flaw potentially grants access to sensitive administrative endpoints, enabling unauthorized access to sensitive internal data, such as heap dumps and trace logs. Affected versions include Concerto from 12.1.2 to 12.2.0, with other versions possibly impacted as well. Organizations using this platform must take immediate steps to mitigate this vulnerability.

Affected Version(s)

Concerto 12.1.2 <= 12.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34026 - Proof of Concept

References

https://projectdiscovery.io/blog/versa-concerto-authentic...

exploitmitigation

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 21, 2025
👾
Exploit known to exist
May 21, 2025
Vulnerability published
May 21, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

ProjectDiscovery

Harsh Jaiswal

Rahul Maini

Parth Malhotra