CVE-2025-34026 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-21

Added to CISA KEV: 2026-01-22 246 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update Versa Concerto to version 12.2.1 or later if available
Implement network access controls to restrict access to Concerto administrative interfaces
Monitor access logs for suspicious activity targeting administrative endpoints
Review Traefik reverse proxy configuration for proper authentication controls
Consider implementing additional authentication layers as compensating controls if patching is delayed

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-34026 is a critical authentication bypass vulnerability affecting the Versa Concerto SD-WAN orchestration platform ^[1] ^[5]. It has been officially recognized as an actively exploited vulnerability and is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog ^[1] ^[2].

Technical Details and Exploitation

Attack Method: The vulnerability stems from an authentication bypass within the Traefik reverse proxy configuration ^[1]. Specifically, it involves improper handling of the `X-Real-Ip` header when interacting with Spring Boot Actuator endpoints ^[3]. By omitting this header, attackers can bypass authentication mechanisms to access restricted administrative endpoints ^[3].
Requirements: The attack is network-based and does not require user interaction ^[1].
Impact: Successful exploitation allows unauthorized access to sensitive administrative endpoints and Actuator data, including heap dumps and trace logs, which can lead to further compromise of the orchestration platform ^[5] ^[2].

Exploitation and Threat Landscape

Active Exploitation: The vulnerability is confirmed to be exploited in the wild, leading to its inclusion in the CISA KEV catalog ^[1] ^[2].
Proof-of-Concept (PoC): Security researchers and tools have developed detection templates for this vulnerability. For instance, ProjectDiscovery released Nuclei templates to identify instances of this vulnerability in enterprise networks ^[4] ^[6].
Campaigns: While specific attribution to ransomware groups or targeted campaigns is not detailed in public NVD records, its presence in the CISA KEV catalog underscores its high risk and utility to threat actors for initial access or reconnaissance in enterprise environments ^[2].

Mitigation and Status

Affected Versions: The vulnerability affects the Versa Concerto SD-WAN orchestration platform ^[1].
Patch Status: Users are strongly advised to consult official security bulletins from Versa Networks for specific patch information and remediation steps ^[2]. Organizations should prioritize applying these updates to mitigate the risk of unauthorized access.

Sources

CVE-2025-34026 Detail - NVD
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration. ... This CVE record has been marked for NVD enrichment efforts. Description. The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypa…
CVE-2025-34026 : The Versa Concerto SD-WAN orchestration platform is ...
CVE-2025-34026 : The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at att ... CVE-2025-34026 is in the CISA Known Exploited Vulnerabilities Catalog. CISA vulnerability name: Versa Concerto Improper Authenti…
Nuclei Templates Monthly - May 2025 — ProjectDiscovery Blog
Notably, the release includes coverage for CVE-2025-4427, a remote code execution flaw in Ivanti EPMM, which has been added to CISA’s Known Exploited Vulnerabilities (KEV) list. We’ve also added templates for CVE-2025-34026 and CVE-2025-34027, two authentication bypass issues affecting Versa Concert…
Authentication Bypass to RCE in Versa Concerto
- CVE-2025-34025: Insecure Docker Mount → Container Escape. - CVE-2025-34026: Actuator Authentication Bypass → Information Leak. - CVE-2025 ... 1id: CVE-2025-34026 2 3info: 4 name: Versa Concerto Actuator Endpoint - Authentication Bypass 5 author: iamnoooob,rootxharsh,parthmalhotra,pdresearch 6 seve…
CVE-2025-34026: Versa Concerto Auth Bypass Vulnerability - SentinelOne
CVE-2025-34026 is an authentication bypass flaw in Versa Concerto SD-WAN's Traefik proxy that exposes administrative endpoints and Actuator data. This article covers the technical details, affected versions, and mitigations.
nuclei-templates/http/cves/2025/CVE-2025-34026.yaml at main...
Community curated list of templates for the nuclei engine to find security vulnerabilities. - nuclei-templates/http/cves/2025/CVE-2025-34026.yaml at main · projectdiscovery/nuclei-templates.