Do Son 
Three zero-day vulnerabilities have been discovered within the networks of major telecommunications companies with direct exposure to the internet—flaws that could have granted attackers full control over critical systems. These issues affected Concerto, the orchestration layer atop Versa Director, which governs the SD-WAN and SASE solutions offered by Versa Networks.
Founded twelve years ago, Versa Networks has established itself as a prominent force in the secure access and software-defined networking markets, earning a reputation as both a trusted partner to large enterprises and a prime target for sophisticated adversaries. Notably, last year, the China-linked threat group Volt Typhoon exploited a vulnerability in Versa Director to launch an attack.
Researchers at ProjectDiscovery uncovered three previously unknown zero-day flaws in the Concerto module. Although all vulnerabilities have since been patched, the threat persisted for organizations that had exposed their Concerto instances to the public internet. While updates were released, the onus of applying them remains with the clients themselves.
The first vulnerability, assigned CVE-2025-34025 and rated 8.6 on the CVSS scale, stemmed from a misconfiguration in the Docker container, which allowed two of its directories to directly interact with the host’s file system. This misstep enabled a threat actor to execute a malicious script at the system level, thereby escaping the confines of the container and escalating privileges.
The second flaw, CVE-2025-34026, received a critical rating of 9.2. It involved the way Concerto communicated with the Traefik container, which handles incoming traffic. Traefik appended the X-Real-IP header, used for filtering suspicious requests. However, researchers discovered a method to strip this header, effectively bypassing the validation mechanism and gaining access to sensitive data—including plaintext passwords and session tokens.
The most severe of the three, CVE-2025-34027, earned a maximum CVSS score of 10.0. This vulnerability comprised a chain of issues: a TOCTOU (Time-of-Check to Time-of-Use) bug, a failure in handling uploaded packages, and a thread race condition—each compounding to enable the stealthy execution of arbitrary code.
According to ProjectDiscovery, with code execution capabilities or access to the administrative console, an attacker could pivot laterally to other interconnected components, including Versa Director, and exfiltrate highly sensitive data such as Active Directory credentials or internal proxy accounts.
Fortunately, the number of exposed Concerto instances on the internet appeared limited to a few dozen organizations. However, these were all major telecommunications providers—an attractive target for threat groups like Volt Typhoon.
ProjectDiscovery initially disclosed the vulnerabilities to Versa Networks on February 13. Communications between the two parties lapsed during April and May, leading to a mistaken report on May 21 suggesting that no fixes had been issued. However, Versa later confirmed that hotfixes had been made available by March 7, with a comprehensive update finalized on April 16.
In an official statement, the company noted that all customers were notified via support and security channels. While many have already applied the patches, Versa acknowledged that some deployments remain in progress. Importantly, no evidence of exploitation in the wild has been reported to date.
Donate