CVE-2025-34026

What is Versa Concerto?

Versa Concerto is the centralized management and orchestration plane for Versa Networks' SD-WAN platform. Large enterprises deploy it to provision, monitor, and configure distributed SD-WAN edges across their branch networks. As the control plane for the SD-WAN fabric, Concerto has privileged access to network routing policies, VPN configurations, and connected device credentials across an organization's entire WAN infrastructure — making it an extremely high-value compromise target.

Versa Networks' products have been targeted by sophisticated threat actors: CVE-2024-39717 was exploited by Volt Typhoon (Chinese state-sponsored) to compromise SD-WAN infrastructure at telecommunications and critical infrastructure organizations.

Overview

CVE-2025-34026 is an authentication bypass (CWE-288) in the Versa Concerto SD-WAN orchestration platform. The Traefik reverse proxy in front of Concerto's internal Spring Boot application was configured to gate access to /actuator/* endpoints using the X-Real-Ip header. A known Traefik vulnerability allows that header to be dropped entirely, bypassing the access control check and exposing Spring Boot Actuator endpoints (heap dumps, trace logs, environment variables) to unauthenticated attackers. This is the first step in a three-CVE chain leading to full RCE and container escape.

Affected Versions

Technical Details

Versa Concerto uses Traefik as its reverse proxy. The Traefik configuration used the presence of the X-Real-Ip header as the access control gate for /actuator/* Spring Boot management endpoints. By exploiting a known Traefik security issue (GHSA-62c8-mh53-4cqv), attackers could send requests that caused Traefik to drop the X-Real-Ip header entirely — bypassing the header-based access check and reaching the Actuator API unauthenticated.

Spring Boot Actuator endpoints expose:

• /actuator/heapdump: full JVM heap dump (contains credentials, session tokens, encryption keys in memory)
• /actuator/httptrace or /actuator/httpexchanges: recent HTTP request/response traces including auth headers
• /actuator/env: environment variables (can contain API keys, database passwords)

Three-CVE exploitation chain (all disclosed together):

1. CVE-2025-34026 (this CVE): Traefik header drop → unauthenticated Spring Boot Actuator access → extract session tokens/credentials from heap dump
2. CVE-2025-34027: Authentication bypass + arbitrary file write → place webshell in web-served directory → RCE
3. CVE-2025-34025: Container escape via misconfigured Docker volume mounts exposing host /usr/bin/ → full host OS compromise

Discovery

ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra. Published May 21, 2025 after coordinated disclosure.

Exploitation Context

CISA added CVE-2025-34026 to the KEV catalog on January 22, 2026, confirming active exploitation. The eight-month gap between the March 2025 patch and the January 2026 KEV listing indicates that attackers were exploiting unpatched instances for an extended period. Versa's prior targeting by Volt Typhoon suggests nation-state interest in SD-WAN infrastructure as a network access vector.

Remediation

1. Apply the Versa Concerto patches from March 7, 2025 for all three CVEs (34026, 34027, 34025) simultaneously.
2. Restrict access to Concerto's management interface at the network level — it should not be internet-accessible; place it behind a VPN or management-only network segment.
3. Disable Spring Boot Actuator endpoints (management.endpoints.web.exposure.include) in production if not operationally required.
4. Extract and rotate all credentials from Concerto: SD-WAN edge device credentials, network admin passwords, API tokens — assume everything accessible from the Actuator heap dump was compromised.
5. Apply the container escape fix (CVE-2025-34025) — even if Concerto is behind a firewall, container escape can enable lateral movement on the underlying host.