CVE-2025-34027: Versa Concerto Authentication Bypass File Write Remote Code Execution

10.0 CVSS

Description

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

Classification

CVE ID: CVE-2025-34027

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Problem Types

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-287 Improper Authentication

Affected Products

Vendor: Versa

Product: Concerto

Nuclei Template

http/cves/2025/CVE-2025-34027.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 3.09% (probability of being exploited)

EPSS Percentile: 86.16% (scored less or equal to compared to others)

EPSS Date: 2025-05-31 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-34027
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce

Timeline

2025-05-21 22:40:20 UTC
CVE

Versa Concerto Authentication Bypass File Write Remote Code Execution