Versa Concerto SD-WAN Orchestration Platform Authentication Bypass Vulnerability in Actuator Endpoints

A vulnerability allowing authentication bypass has been identified in the Versa Concerto SD-WAN orchestration platform, specifically in versions 12.1.2 through 12.2.0. This vulnerability arises from inconsistencies in URL decoding within the Traefik reverse proxy configuration, enabling unauthorized access to administrative endpoints. Exploitation of this flaw can be achieved by omitting the 'X-Real-Ip' header, which is crucial for authentication checks on Actuator endpoints. As a result, attackers can access sensitive functionalities, such as heap dumps and trace logs, potentially leading to further exploitation.

Impact

Exploitation of this vulnerability bypasses authentication controls, allowing unauthorized access to restricted Actuator endpoints. This access can be leveraged to obtain sensitive information, such as heap dumps and trace logs, which may contain session tokens and other credentials. Additionally, this vulnerability is part of a chain that can lead to remote code execution on the host system.

Reproduction

The vulnerability can be reproduced by sending a request to a protected Actuator endpoint without the 'X-Real-Ip' header. Traefik will forward the request without this header, bypassing the authentication check and granting access to the endpoint. This can be automated with a Nuclei template that includes the necessary request details.

Remediation

Users are advised to apply the official patch released by Versa Concerto on May 24, 2025. Until then, temporary measures can be implemented at the reverse proxy or Web Application Firewall (WAF) levels, such as blocking requests with semicolons in the URL paths or dropping requests with 'Connection' headers that include 'X-Real-Ip'.