CVE-2025-34027
CRITICAL EXPLOITED NUCLEIVersa Concerto 12.1.2-12.2.0 - RCE via Traefik Auth Bypass and TOCTOU Race
Title source: llmExploitation Summary
CVE-2025-34027 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
Nuclei Templates (1)
Versa Concerto API Path Based - Authentication Bypass
CRITICALVERIFIEDby iamnoooob,rootxharsh,parthmalhotra,pdresearch
Shodan:
http.favicon.hash:-534530225
References (1)
Core 1
Core References
Various Sources exploit
mitigation
https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce
Scores
CVSS v4
10.0
EPSS
0.3458
EPSS Percentile
98.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2025-07-21
CWE
CWE-367
Status
published
Products (1)
Versa/Concerto
12.1.2 - 12.2.0
Published
May 21, 2025
Tracked Since
Feb 18, 2026