Cyber Resilience

Campaign · all campaigns

Versa Director Zero Day ExploitationC0039 state

🇨🇳 CN · PLA

aka Versa Director Zero Day Exploitation

Run by Volt Typhoon

Last updated: 2026-07-03

0attributed CVEs
13ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

[Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) was conducted by [Volt Typhoon](https://attack.mitre.org/groups/G1017) from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. [Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) was followed by the delivery of the [VersaMem](https://attack.mitre.org/software/S1154) web shell for both credential theft and follow-on code execution.(Citation: Lumen Versa 2024)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
CM-68 / 1362%
SI-48 / 1362%
CM-27 / 1354%
AC-46 / 1346%
CA-76 / 1346%
CM-76 / 1346%
SC-76 / 1346%
SI-36 / 1346%
AC-34 / 1331%
SC-234 / 1331%
AC-23 / 1323%
AC-53 / 1323%
AC-63 / 1323%
RA-53 / 1323%
SC-163 / 1323%

Co-occurring actors

None.

Similar actors

Same nation-state