\n<\/p>\n
Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances.<\/p>\n
It’s worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline.<\/p>\n
“These vulnerabilities, when chained together, could allow an attacker to fully compromise both the application and the underlying host system,” ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra said in a report shared with The Hacker News.<\/p>\n
<\/p>\n
The security defects are listed below –<\/p>\n
* **CVE-2025-34025** (CVSS score: 8.6) – A privilege escalation and Docker container escape vulnerability that’s caused by unsafe default mounting of host binary paths and could be exploited to gain code execution on the underlying host machine
* **CVE-2025-34026** (CVSS score: 9.2) – An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to access heap dumps and trace logs by exploiting an internal Spring Boot Actuator endpoint via CVE-2024-45410
* **CVE-2025-34027** (CVSS score: 10.0) – An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to achieve remote code execution by exploiting an endpoint related to package uploads (“\/portalapi\/v1\/package\/spack\/upload”) via arbitrary file writes<\/p>\n
Successful exploitation of CVE-2025-34027 could allow an attacker to leverage a race condition and write malicious files to disk, ultimately resulting in remote code execution using LD_PRELOAD and a reverse shell.<\/p>\n
“Our approach involved overwriting ..\/..\/..\/..\/..\/..\/etc\/ld.so.preload with a path pointing to \/tmp\/hook.so,” the researchers said. “Simultaneously, we uploaded \/tmp\/hook.so, which contained a compiled C binary for a reverse shell. Since our request triggered two file write operations, we leveraged this to ensure that both files were written within the same request.”<\/p>\n
<\/p>\n
“Once these files were successfully written, any command execution on the system while both persisted would result in the execution of \/tmp\/hook.so, thereby giving us a reverse shell.”<\/p>\n
In the absence of an official fix, users are advised to block semicolons in URL paths and drop requests where the Connection header contains the value X-Real-Ip. It’s also recommended to monitor network traffic and logs for any suspicious activity.<\/p>\n
The Hacker News has reached out to Versa Networks for comment, and we will update the story if we hear back.<\/p>\n
Found this article interesting? Follow us on Twitter _\uf099_ and LinkedIn to read more exclusive content we post.\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host Update ID THN:E8E568C72F1DC3ECEB98B0AF52D7B4CF Type thn Published 2025-05-22T11:06:00 Last…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,7,11,43,5],"class_list":["post-5649","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n
Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=5649\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host Update ID THN:E8E568C72F1DC3ECEB98B0AF52D7B4CF Type thn Published 2025-05-22T11:06:00 Last...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=5649\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-22T08:40:05+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5649#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5649\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host\",\"datePublished\":\"2025-05-22T08:40:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5649\"},\"wordCount\":552,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-10.0\",\"exploit\",\"news\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5649#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5649\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5649\",\"name\":\"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-22T08:40:05+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5649#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5649\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5649#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=5649","og_locale":"en_US","og_type":"article","og_title":"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host - zero redgem","og_description":"Security Update News Update Information Title Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host Update ID THN:E8E568C72F1DC3ECEB98B0AF52D7B4CF Type thn Published 2025-05-22T11:06:00 Last...","og_url":"https:\/\/zero.redgem.net\/?p=5649","og_site_name":"zero redgem","article_published_time":"2025-05-22T08:40:05+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=5649#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=5649"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host","datePublished":"2025-05-22T08:40:05+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=5649"},"wordCount":552,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-10.0","exploit","news","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=5649#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=5649","url":"https:\/\/zero.redgem.net\/?p=5649","name":"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-22T08:40:05+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=5649#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=5649"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=5649#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5649"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5649\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5649"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5649"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}