vulnerability

Versa Concerto: CVE-2025-34026: Authentication Bypass Using an Alternate Path or Channel

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Published

May 21, 2025

Added

Jan 28, 2026

Modified

Jan 28, 2026

Description

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs. This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

Solution

versa-concerto-upgrade-latest

References

CVE-2025-34026
https://attackerkb.com/topics/CVE-2025-34026
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
CWE-288

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report