vulnerability

Versa Concerto: CVE-2025-34026: Authentication Bypass Using an Alternate Path or Channel

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:C/I:N/A:N)	May 21, 2025	Jan 28, 2026	Jan 28, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Published

May 21, 2025

Added

Jan 28, 2026

Modified

Jan 28, 2026

Description

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs. This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

Solution

versa-concerto-upgrade-latest

References

CVE-2025-34026
https://attackerkb.com/topics/CVE-2025-34026
URL-https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
CWE-288

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today