Description
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
CVSS Metrics
- Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- none
- Confidentiality
- undefined
- Integrity
- undefined
- Availability
- undefined
- Weaknesses
- CWE-288
Metadata
- Primary Vendor
- VERSA-NETWORKS
- Published
- 5/21/2025
- Last Modified
- 1/23/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
versa-networks : concertoversa-networks : concertoversa-networks : concerto
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.