Versa Concerto SD-WAN Orchestration Privilege Escalation and Container Escape Vulnerability

A vulnerability allowing privilege escalation and container escape has been identified in the Versa Concerto SD-WAN orchestration platform, specifically in versions 12.1.2 prior to 12.2.0. This vulnerability arises from unsafe default mounting of host binary paths, enabling containers to modify host paths. Depending on the host operating system configuration, this could lead to remote code execution or direct access to the host.

Impact

Exploitation of this vulnerability allows for unauthorized access to the host system, with the potential for remote code execution, depending on the host's operating system configuration.

Reproduction

The vulnerability can be reproduced by deploying the Versa Concerto application in a Docker container with the default volume mappings that expose host binaries. After uploading a malicious file through the application's package upload endpoint, the same request can be used to overwrite a host binary with a script that initiates a reverse shell. Once the binary is replaced, the cron job that runs on the host will execute the script, providing a shell back to the attacker.

Remediation

Versa has released patches for this vulnerability. Instructions for applying the patch can be found in the Versa Concerto CVE-2025-34025 Patch Bulletin.