CVE-2025-34027
Published: 21 May 2025
Summary
CVE-2025-34027 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Versa Concerto SD-WAN orchestration platform contains an authentication bypass vulnerability in its Traefik reverse proxy configuration that exposes administrative endpoints. The Spack upload endpoint can be abused through a Time-of-Check to Time-of-Use write combined with a race condition, enabling path loading manipulation that leads to remote code execution. The flaw affects versions 12.1.2 through 12.2.0, with additional versions potentially impacted, and carries a CVSS 4.0 score of 10.0 under CWE-367.
An unauthenticated attacker with network access can exploit the bypass to reach privileged endpoints and then chain the TOCTOU condition to execute arbitrary code on the orchestration platform. This grants full control over the SD-WAN environment without requiring credentials or user interaction.
Public analysis of the issue is detailed in reporting from ProjectDiscovery, which describes the authentication bypass and RCE chain but does not include vendor patch or mitigation guidance in the referenced materials.
The EPSS score rose from a low baseline to a peak of 0.0763 on 2026-02-25 before receding to the current value of 0.0278, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16088
Vulnerability details
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in…
more
combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Timestamps meeting UTC or offset standards help identify TOCTOU issues through precise chronological reconstruction of check/use operations.