CVE-2024-39717

What is Versa Networks Director?

Versa Networks Director is the centralized management and orchestration platform for Versa's SD-WAN and SASE (Secure Access Service Edge) infrastructure. It is used by ISPs, telecom providers, and large enterprises to manage distributed software-defined network deployments spanning hundreds or thousands of branch offices and remote sites. Because Director manages the entire SD-WAN fabric — routing, security policies, and connectivity — a compromised Director instance provides an attacker with visibility and control over an organization's entire wide-area network. Director is deployed by critical infrastructure providers including US ISPs and telecommunications companies.

Overview

CVE-2024-39717 is a dangerous file type upload vulnerability in Versa Director's "Change Favicon" feature that allows a high-privileged attacker to upload a disguised Java Archive (JAR) file with a .png extension. When processed by the Java-based Director platform, the JAR executes as code, providing remote code execution on the Director server. The vulnerability was exploited by Volt Typhoon — a Chinese state-sponsored threat actor — to compromise US ISP and telecommunications infrastructure. Lumen Technologies' Black Lotus Labs attributed the campaign and CISA added the CVE to the KEV catalog one day after publication.

Affected Versions

Technical Details

CWE-434 (Unrestricted Upload of File with Dangerous Type). The Versa Director web UI includes a "Change Favicon" feature that allows administrative users to upload a custom icon for the management portal. The upload handler validates the file extension (.png) but does not validate the actual file content (magic bytes / MIME type). An attacker with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges can upload a file with a .png extension whose content is a valid Java ARchive (JAR). Because Director is a Java application, the uploaded file is accessible via a predictable URL path and can be loaded as executable Java code by the Director JVM when accessed through a crafted request — achieving server-side code execution.

The exploitation path: admin credential compromise (via phishing or credential reuse) → upload malicious JAR disguised as PNG via "Change Favicon" → trigger JAR execution → persistent server-side access to the Director management plane.

Discovery

Discovered and publicly attributed by Lumen Technologies' Black Lotus Labs, who identified the exploitation in the context of a Volt Typhoon campaign targeting US ISP infrastructure. Volt Typhoon is a China-nexus APT group focused on pre-positioning in US critical infrastructure for potential future disruption.

Exploitation Context

Volt Typhoon's exploitation of CVE-2024-39717 against US ISPs represents a supply chain attack on network infrastructure: by compromising SD-WAN management platforms, the group gained the ability to monitor and potentially manipulate traffic flows across the ISPs' customers. This aligns with Volt Typhoon's documented strategy of establishing persistent access in US critical infrastructure — power, water, communications, and transportation — for use in a potential future conflict scenario. Versa Director's role managing ISP-scale SD-WAN deployments makes it a high-value target for nation-state pre-positioning.

Remediation

1. Upgrade Versa Director to version 22.1.4 or later immediately.
2. Harden Director access: restrict management interface access to authorized administrator IP addresses; require MFA for all admin accounts.
3. Audit Director administrator accounts and review recent file uploads, configuration changes, and access logs for signs of compromise prior to patching.
4. Check uploaded favicon files for JAR file signatures (magic bytes PK\x03\x04) — a PNG masquerading as a JAR will have JAR magic bytes despite the .png extension.
5. Rotate all Versa Director administrative credentials and review API keys after patching.
6. Report potential Volt Typhoon indicators to CISA and your sector-specific ISAC.