CVE-2025-23168 is a medium-severity vulnerability affecting the Versa Director SD-WAN orchestration platform, specifically versions 21.2.2 through 22.1.4. The vulnerability stems from weaknesses in the platform's implementation of Two-Factor Authentication (2FA), which relies on One-Time Passcodes (OTP) delivered via email or SMS. The core issue is that Versa Director accepts untrusted user input when dispatching 2FA codes, enabling an attacker who has already obtained valid username and password credentials to redirect OTP delivery to an attacker-controlled device. This redirection undermines the 2FA mechanism, effectively allowing the attacker to bypass the second authentication factor. Additionally, the OTP codes are not invalidated after use, permitting reuse of previously intercepted or obtained codes. The 2FA system also lacks adequate restrictions on the number or frequency of login attempts, increasing the risk of brute-force attacks. Compounding these issues, the OTP values are generated from a relatively small keyspace, making brute-force guessing more feasible. Although there are no known reports of exploitation in the wild, proof-of-concept exploits have been publicly disclosed by security researchers. The vulnerability requires an attacker to have valid credentials (password and username) but does not require user interaction beyond that. The CVSS v3.1 score is 6.3 (medium), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and impacts to confidentiality, integrity, and availability at a low level. Versa Networks recommends upgrading to remediated software versions to mitigate this vulnerability.

For European organizations, the exploitation of CVE-2025-23168 could lead to unauthorized access to critical SD-WAN orchestration infrastructure. Since Versa Director manages network configurations and policies, an attacker gaining access could manipulate network traffic, disrupt service availability, or exfiltrate sensitive data. The ability to redirect OTPs and reuse codes weakens the 2FA security layer, increasing the risk of account compromise even when 2FA is enabled. This could result in lateral movement within corporate networks, impacting confidentiality and integrity of data flows. The lack of login attempt restrictions further facilitates brute-force attacks, potentially leading to denial of service or unauthorized access. Given the central role of SD-WAN in modern enterprise networks, especially for multinational corporations and critical infrastructure providers, this vulnerability could have cascading effects on network reliability and security. The absence of known exploitation in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code is available. Organizations relying on Versa Director for network orchestration should consider this vulnerability a significant risk to their network security posture.

1. Immediate upgrade to the latest remediated versions of Versa Director as recommended by Versa Networks to address the vulnerability. 2. Implement strict monitoring and alerting on authentication attempts to detect abnormal login patterns or repeated failed attempts that could indicate brute-force attacks. 3. Enforce additional out-of-band verification methods for critical administrative actions within Versa Director to reduce reliance on OTP codes alone. 4. Restrict network access to the Versa Director management interface using IP whitelisting or VPNs to limit exposure to potential attackers. 5. Conduct regular audits of user accounts and credentials to identify and disable any compromised or unused accounts. 6. Consider integrating hardware-based 2FA tokens or more secure authentication mechanisms that do not rely on SMS or email OTPs, which are susceptible to interception or redirection. 7. Educate administrators on the risks of credential compromise and the importance of strong password hygiene. 8. Deploy rate-limiting controls at the application or network level to mitigate brute-force attempts against the authentication system.