CVE-2025-34027

CVSS

No CVSS.

T

he Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

References

Link	Resource
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce

Configurations

No configuration.

History

23 Sep 2025, 16:15

Type	Values Removed	Values Added
CWE	CWE-362 CWE-287	CWE-367

23 May 2025, 15:55

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 22:15

Updated : 2025-09-23 16:15

NVD link : CVE-2025-34027

Mitre link : CVE-2025-34027

CVE.ORG link : CVE-2025-34027

JSON object : View

Products Affected

No product.

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2025-34027", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-21T22:15:50.680", "references": [{"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "source": "[email protected]"}, {"url": "https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable."}, {"lang": "es", "value": "La plataforma de orquestaci\u00f3n SD-WAN Versa Concerto es vulnerable a una omisi\u00f3n de autenticaci\u00f3n en la configuraci\u00f3n del proxy inverso Traefik, lo que permite a un atacante acceder a los endpoints administrativos. El endpoint de carga de Spack puede aprovecharse para una escritura TOCTOU (Tiempo de Verificaci\u00f3n a Tiempo de Uso) en combinaci\u00f3n con una condici\u00f3n de ejecuci\u00f3n para lograr la ejecuci\u00f3n remota de c\u00f3digo mediante la manipulaci\u00f3n de la carga de rutas, lo que permite que un agente no autenticado logre la ejecuci\u00f3n remota de c\u00f3digo (RCE). Se sabe que este problema afecta a Concerto desde la versi\u00f3n 12.1.2 hasta la 12.2.0. Otras versiones podr\u00edan ser vulnerables."}], "lastModified": "2025-09-23T16:15:32.103", "sourceIdentifier": "[email protected]"}