Versa Networks has fixed a zero-day vulnerability exploited in the wild that allows attackers to upload malicious files by exploiting an unrestricted file upload flaw in the Versa Director GUI.
Versa Director is a platform designed to help managed service providers simplify the design, automation, and delivery of SASE services, offering essential management, monitoring, and orchestration for Versa SASE’s networking and security capabilities.
The flaw (CVE-2024-39717), tagged by Versa as a high-severity vulnerability in the software’s “Change Favicon” feature, allows threat actors with administrator privileges to upload malicious files camouflaged as PNG images.
“This vulnerability allowed potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges,” Versa explains in a security advisory published on Monday.
“Impacted customers failed to implement system hardening and firewall guidelines mentioned above, leaving a management port exposed on the internet that provided the threat actors with initial access.”
According to Versa, CVE-2024-39717 only impacts customers who haven’t implemented system hardening requirements and firewall guidelines (available since 2017 and 2015).
Versa says it alerted partners and customers to review firewall requirements for Versa components on July 26 and notified them about this zero-day vulnerability exploited in attacks on August 9.
Exploited by APT actor “at least” once
The company says that the vulnerability had been exploited by an “Advanced Persistent Threat” (APT) actor in “at least” one attack.
Versa advises customers to apply hardening measures and upgrade their Versa Director installations to the latest version to block incoming attacks. Customers can check if the vulnerability has been exploited in their environments by inspecting the /var/versa/vnms/web/custom_logo/ folder for suspicious files that might have been uploaded.
The Cybersecurity and Infrastructure Security Agency (CISA) also added the zero-day to its Known Exploited Vulnerabilities (KEV) catalog on Friday. As mandated by the November 2021 binding operational directive (BOD 22-01), federal agencies must secure vulnerable Versa Director instances on their networks by September 13.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
Versa Networks is a secure access service edge (SASE) vendor that provides services to thousands of customers with millions of users, including large enterprises (e.g., Adobe, Samsung, Verizon, Virgin Media, Comcast Business, Orange Business, Capital One, Barclays) and over 120 service providers worldwide.