{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-34027", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.545Z", "datePublished": "2025-05-21T21:58:31.698Z", "dateUpdated": "2025-09-23T15:44:45.971Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["Traefik"], "product": "Concerto", "vendor": "Versa", "versions": [{"lessThanOrEqual": "12.2.0", "status": "affected", "version": "12.1.2", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "sponsor", "value": "ProjectDiscovery"}, {"lang": "en", "type": "finder", "value": "Harsh Jaiswal"}, {"lang": "en", "type": "finder", "value": "Rahul Maini"}, {"lang": "en", "type": "finder", "value": "Parth Malhotra"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).<p>This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.</p>"}], "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}], "impacts": [{"capecId": "CAPEC-38", "descriptions": [{"lang": "en", "value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"}]}, {"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 10, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-09-23T15:44:45.971Z"}, "references": [{"tags": ["exploit", "mitigation"], "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}], "source": {"discovery": "UNKNOWN"}, "title": "Versa Concerto Authentication Bypass File Write Remote Code Execution", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-27T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-34027"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T03:56:04.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34027", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-22T15:07:52.824799Z"}}}], "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-22T15:09:08.732Z"}}], "cna": {"title": "Versa Concerto Authentication Bypass File Write Remote Code Execution", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "sponsor", "value": "ProjectDiscovery"}, {"lang": "en", "type": "finder", "value": "Harsh Jaiswal"}, {"lang": "en", "type": "finder", "value": "Rahul Maini"}, {"lang": "en", "type": "finder", "value": "Parth Malhotra"}], "impacts": [{"capecId": "CAPEC-38", "descriptions": [{"lang": "en", "value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"}]}, {"capecId": "CAPEC-29", "descriptions": [{"lang": "en", "value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Versa", "modules": ["Traefik"], "product": "Concerto", "versions": [{"status": "affected", "version": "12.1.2", "versionType": "semver", "lessThanOrEqual": "12.2.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "tags": ["exploit", "mitigation"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.", "supportingMedia": [{"type": "text/html", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).<p>This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-09-23T15:44:45.971Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34027", "state": "PUBLISHED", "dateUpdated": "2025-09-23T15:44:45.971Z", "dateReserved": "2025-04-15T19:15:22.545Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-05-21T21:58:31.698Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}, {"lang": "es", "value": "La plataforma de orquestaci\u00f3n SD-WAN Versa Concerto es vulnerable a una omisi\u00f3n de autenticaci\u00f3n en la configuraci\u00f3n del proxy inverso Traefik, lo que permite a un atacante acceder a los endpoints administrativos. El endpoint de carga de Spack puede aprovecharse para una escritura TOCTOU (Tiempo de Verificaci\u00f3n a Tiempo de Uso) en combinaci\u00f3n con una condici\u00f3n de ejecuci\u00f3n para lograr la ejecuci\u00f3n remota de c\u00f3digo mediante la manipulaci\u00f3n de la carga de rutas, lo que permite que un agente no autenticado logre la ejecuci\u00f3n remota de c\u00f3digo (RCE). Se sabe que este problema afecta a Concerto desde la versi\u00f3n 12.1.2 hasta la 12.2.0. Otras versiones podr\u00edan ser vulnerables."}], "id": "CVE-2025-34027", "lastModified": "2025-09-23T16:15:32.103", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-05-21T22:15:50.680", "references": [{"source": "disclosure@vulncheck.com", "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}