CVE-2025-34026

high-risk
Published 2025-05-21

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

Do I need to act?

!
75.1% chance of exploitation in next 30 days
EPSS score — higher than 25% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Versa-Networks

References (4)

Exploit https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
Exploit https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
Vendor Advisory https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff...
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-...
61
/ 100
high-risk
Severity 26/34 · High
Exploitability 26/34 · High
Exposure 9/34 · Low