Versa Networks has disclosed two high-severity vulnerabilities (CVE-2025-23171 and CVE-2025-23172) in its Director SD-WAN orchestration platform, enabling authenticated attackers to execute remote code and escalate privileges.
These flaws expose network management systems to significant compromise risks, particularly affecting service providers and enterprises using unpatched Versa Director deployments.
Technical Exploitation Mechanisms
The vulnerabilities stem from critical security oversights in file upload and webhook functions:
- CVE-2025-23171 (CVSS 7.2): An insecure file upload mechanism allows authenticated attackers to bypass UI restrictions and upload malicious webshells disguised as legitimate files (e.g., UCPE images).
- The platform leaks temporary filenames with UUID prefixes, enabling precise targeting of uploaded payloads.
- CVE-2025-23172 (CVSS 7.2): Webhook functionalities can be weaponized to craft HTTP requests to localhost, permitting command execution under
versauser privileges (with sudo access). - This enables privilege escalation and full system control.
| Affected Versions | Fixed Versions | Remediation Deadline |
|---|---|---|
| 22.1.4 | 22.1.4 (Feb 8, 2025+) | Immediate upgrade |
| 22.1.3 | 22.1.3 (Jun 10, 2025+) | Patch by June 10, 2025 |
| 22.1.2 | 22.1.2 (Jun 10, 2025+) | Patch by June 10, 2025 |
| 22.1.1 | None – upgrade required | Migrate to 22.1.3+ |
| 21.2.3 | 21.2.3 (Jun 10, 2025+) | Patch by June 10, 2025 |
| 21.2.2 | None – upgrade required | Migrate to 21.2.3+ |
Mitigation and Response
No workarounds exist for these flaws; upgrading to patched versions is mandatory.
Versa Networks confirms no active exploitation has been observed, but proof-of-concept code is publicly available, heightening attack risks.
Organizations must:
- Immediately apply updates using Versa’s official channels.
- Audit file upload activities for anomalous .png or executable files.
- Restrict webhook permissions and monitor localhost-bound traffic.
CISA has added related vulnerabilities (e.g., CVE-2024-39717) to its Known Exploited Vulnerabilities Catalog, underscoring the platform’s critical role in SD-WAN infrastructure.
With 31 internet-exposed instances globally (16 in the U.S.), unpatched systems face imminent targeting.
Versa credits CISA’s Rapid Action Force for discovering these flaws, highlighting the critical role of coordinated vulnerability disclosure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=These flaws expose network management systems to significant compromise risks, particularly affecting service providers){kind=link}