Cyber Resilience

CVE-2025-34027

Critical

Published: 21 May 2025

Published
21 May 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0278 86.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34027 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Versa Concerto SD-WAN orchestration platform contains an authentication bypass vulnerability in its Traefik reverse proxy configuration that exposes administrative endpoints. The Spack upload endpoint can be abused through a Time-of-Check to Time-of-Use write combined with a race condition, enabling path loading manipulation that leads to remote code execution. The flaw affects versions 12.1.2 through 12.2.0, with additional versions potentially impacted, and carries a CVSS 4.0 score of 10.0 under CWE-367.

An unauthenticated attacker with network access can exploit the bypass to reach privileged endpoints and then chain the TOCTOU condition to execute arbitrary code on the orchestration platform. This grants full control over the SD-WAN environment without requiring credentials or user interaction.

Public analysis of the issue is detailed in reporting from ProjectDiscovery, which describes the authentication bypass and RCE chain but does not include vendor patch or mitigation guidance in the referenced materials.

The EPSS score rose from a low baseline to a peak of 0.0763 on 2026-02-25 before receding to the current value of 0.0278, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The Spack upload endpoint can be leveraged for a Time-of-Check to Time-of-Use (TOCTOU) write in…

more

combination with a race condition to achieve remote code execution via path loading manipulation, allowing an unauthenticated actor to achieve remote code execution (RCE).This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Additional
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-367

Timestamps meeting UTC or offset standards help identify TOCTOU issues through precise chronological reconstruction of check/use operations.

References