Primary

Context

Versa Director SD-WAN Orchestration Platform Web Shell Upload Vulnerability

Vulnerability

Patched

A vulnerability in the Versa Director SD-WAN orchestration platform allows authenticated attackers to upload web shells via an insecure UCPE image upload. The platform improperly restricts file upload permissions, enabling uploads even when the user interface suggests otherwise. Additionally, Versa Director reveals the full filenames of uploaded temporary files, including UUID prefixes.

Impact

Successful exploitation allows authenticated attackers to upload web shells, which could be used to execute arbitrary commands on the server.

Remediation

Users are advised to upgrade to Versa Director versions 22.1.4 (February 8th Hot Fix), 22.1.3 (June 10, 2025, and later), 22.1.2 (June 10, 2025, and later), or 21.2.3 (June 10, 2025, and later).

Added: Jun 19, 2025, 12:27 AM

Updated: Jun 19, 2025, 12:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

4.9

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

4.9

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Versa Director SD-WAN Orchestration Platform Web Shell Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Versa Director

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating