Auth bypass in Versa Concerto Traefik config (12.1.2-12.2.0)
CVE-2025-34026 Published on May 21, 2025
Versa Concerto Actuator Authentication Bypass Information Leak
The Versa Concerto SD-WAN orchestration platform is vulnerable to an authentication bypass in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.This issue is known to affect Concerto from 12.1.2 through 12.2.0. Additional versions may be vulnerable.
Known Exploited Vulnerability
This Versa Concerto Improper Authentication Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.
The following remediation steps are recommended / required by February 12, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weakness Type
Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
Products Associated with CVE-2025-34026
Want to know whenever a new CVE is published for Versa Concerto? stack.watch will email you.
Affected Versions
Versa Concerto:- Version 12.1.2, <= 12.2.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.