Three 0Days Turned Versa Concerto into a Telecom Hijacking Tool
Header manipulation, container escape, and TOCTOU—and you’re inside the network.
Three zero-day vulnerabilities in Versa Networks’ Concerto—the orchestration layer for its SD-WAN and SASE solutions—could have allowed attackers to seize control of critical telecom systems. The flaws, discovered by ProjectDiscovery, affected internet-exposed Concerto instances, putting major communication providers at risk.The Vulnerabilities: Full System Takeover Possible
- CVE-2025-34025 (CVSS 8.6) – Container Escape via Misconfigured Docker
- Two host directories were improperly mounted, allowing attackers to break out of the container and execute malicious scripts with elevated privileges.
- CVE-2025-34026 (CVSS 9.2) – Authentication Bypass via Traefik Header Tampering
- The X-Real-Ip header, used for request filtering, could be stripped, bypassing security checks and exposing plaintext passwords, session tokens, and sensitive data.
- CVE-2025-34027 (CVSS 10.0) – RCE via TOCTOU + File Upload Race Condition
- A time-of-check to time-of-use (TOCTOU) flaw, combined with improper package handling and thread race exploitation, allowed arbitrary code execution—effectively giving attackers full control.
Attack Potential: From Concerto to Full Network Compromise
Once inside, attackers could:- Move laterally to Versa Director (previously exploited by China-linked Volt Typhoon).
- Steal Active Directory credentials, internal proxy accounts, and other critical assets.
- Disrupt or intercept telecom traffic at an enterprise or ISP level.
Who Was at Risk?
- Only dozens of large telecom providers had internet-facing Concerto instances.
- However, these were high-value targets for APTs like Volt Typhoon.
Patch Timeline & Confusion
- Feb 13, 2025: ProjectDiscovery reported the flaws to Versa.
- Mar 7: Hotfixes released.
- Apr 16: Full patches deployed.
- May 21: Miscommunication led to a false "unpatched" alert, later corrected.
Versa’s Response
- All customers were notified via security channels.
- Some have updated; others are still in progress.
- No real-world exploits detected—this time.
Why It Matters
This case highlights:
How orchestration layers (like Concerto) are prime targets—they sit above critical infrastructure. The risks of internet-exposed management interfaces. Why rapid patching is non-negotiable—especially after Volt Typhoon’s prior attacks on Versa.Lesson: If you’re running Versa Concerto, check your updates now. If you’re a threat actor… well, you’re probably already reading this.
