Versa Director Flaws Let Attackers Execute Arbitrary Commands
A newly disclosed set of vulnerabilities in Versa Networks’ SD-WAN orchestration platform, Versa Director, with the flaws enabling authenticated attackers to upload malicious files and execute arbitrary commands on affected systems.
The vulnerabilities, tracked as CVE-2025-23171 and CVE-2025-23172, stem from insecure file upload and webhook functionalities, both carrying a CVSS score of 7.2, indicating high severity.
Vulnerability Details
The first flaw, CVE-2025-23171, allows authenticated users to upload files—including dangerous types such as webshells—through the platform’s UCPE image upload feature.
While the user interface appears to block such uploads, backend checks are insufficient, and uploads can still succeed.
Critically, Versa Director discloses the full filename, including a UUID prefix, of uploaded temporary files, providing attackers with the precise path needed to trigger malicious payloads.
This can lead to remote code execution (RCE) if a webshell is uploaded and accessed.
| Vulnerabilities | CVE-2025-23171 (File Upload), CVE-2025-23172 (Webhook Abuse) |
| Severity | High (CVSS 7.2) |
| Affected Versions | 22.1.4 (pre-Feb 8, 2025), 22.1.3/22.1.2/21.2.3 (pre-June 10, 2025), 22.1.1, 21.2.2 |
The second vulnerability, CVE-2025-23172, involves the misuse of the platform’s webhook feature. Intended for sending alerts to external endpoints, the Add Webhook and Test Webhook functions can be manipulated to send crafted HTTP requests to the local system.
This opens the door for authenticated users to execute commands as the “versa” user, who holds sudo privileges—effectively granting attackers full control over the device.
Affected Versions and Remediation
The vulnerabilities impact a wide range of Versa Director versions. The table below summarizes the affected and remediated versions:
| Version | Affected | Unaffected (Patched) |
| 22.1.4 | Images released before Feb 8, 2025 | Feb 8, 2025 Hot Fix and later |
| 22.1.3 | All | June 10, 2025 and later |
| 22.1.2 | All | June 10, 2025 and later |
| 22.1.1 | All | None |
| 21.2.3 | All | June 10, 2025 and later |
| 21.2.2 | All | None |
Versa Networks has not observed real-world exploitation of these specific flaws, but proof-of-concept code is publicly available, increasing the risk of opportunistic attacks.
There are no effective workarounds for disabling the vulnerable GUI options; upgrading to a remediated version is the only recommended mitigation.
The vulnerabilities are classified as high severity and are associated with several Common Weakness Enumerations (CWEs):
- CWE-266: Incorrect Privilege Assignment
- CWE-377: Insecure Temporary File
- CWE-434: Unrestricted Upload of File with Dangerous Type
While Versa Networks is not currently aware of any successful exploitations, the publication of proof-of-concept exploits by security researchers has heightened the urgency for organizations to patch affected systems immediately.
The vulnerabilities have drawn attention from major cybersecurity authorities, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urging organizations to apply patches and monitor for signs of compromise.
Versa Networks has acknowledged the CISA Rapid Action Force for discovering and reporting the flaws.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
