A new set of critical Versa Concerto vulnerabilities have been disclosed, affecting dozens of internet-facing instances used by large telecommunications providers like Telco Systems. While the flaws have since been patched, their potential severity underscores the increasing attention attackers are paying to secure access service edge (SASE) platforms used in sensitive infrastructure.
Versa Networks, a 12-year-old SASE vendor, has grown steadily thanks to major enterprise adoption. But that popularity has also made it a target. In 2023, Chinese APT group Volt Typhoon exploited Versa Director. Now, researchers from ProjectDiscovery have uncovered a trio of zero-days in Concerto—Versa’s orchestration layer for SD-WAN and network security operations. These flaws allowed for privilege escalation, authentication bypass, and even remote code execution (RCE).
Inside the Versa Concerto Vulnerabilities: Three CVEs, One Major Threat
The first issue, tracked as CVE-2025-34025, stems from a Docker misconfiguration. Two directories in the “core-service” container were mapped directly to the host’s file system. An attacker could use this setup to escalate privileges and escape the container, ultimately gaining control of the host system. The bug received a CVSS score of 8.6.
The second vulnerability, CVE-2025-34026, was even more dangerous. Versa’s Traefik proxy added an X-Real-Ip header used for authentication. But researchers found a method to strip this header using a known bypass, giving them access to protected endpoints—where sensitive data like plaintext credentials and session tokens were stored. This flaw was rated critical, scoring 9.2 on the CVSS scale.
The most severe was CVE-2025-34027, which combined a time-of-check to time-of-use (TOCTOU) flaw, a package upload vulnerability, and a race condition to enable complete RCE. This exploit chain allowed attackers to bypass authentication, plant malicious files, and trick the system into executing them—earning it a perfect 10.0 CVSS rating.
Each vulnerability alone posed a serious risk, but together they offered a path for attackers to fully compromise affected Concerto systems and pivot to connected Versa Director servers, potentially accessing plaintext Active Directory passwords and internal proxy credentials.
Patches Released, But Risks Remain
ProjectDiscovery first reported the vulnerabilities to Versa on February 13. A hotfix was released on March 7, followed by a full software update on April 16. Versa clarified that affected customers were notified via standard support channels and urged to apply the fixes. Many clients have already upgraded, but some deployments remain unpatched.
The good news: there’s currently no evidence of exploitation in the wild. The bad news: these flaws affected telcos and other large infrastructure operators, and Concerto instances exposed to the internet—even in small numbers—represent prime targets for advanced threat actors.
“This wasn’t about hitting small businesses,” said ProjectDiscovery researcher Rahul Maini. “These were critical systems used by major telecom providers, which is why attackers like Volt Typhoon have taken such interest.”
