Skip to main content

CVE-2025-23172: Vulnerability in Versa Director

High
VulnerabilityCVE-2025-23172cvecve-2025-23172
Published: Wed Jun 18 2025 (06/18/2025, 23:30:51 UTC)
Source: CVE Database V5
Vendor/Project: Versa
Product: Director

Description

The Versa Director SD-WAN orchestration platform includes a Webhook feature for sending notifications to external HTTP endpoints. However, the "Add Webhook" and "Test Webhook" functionalities can be abused by an authenticated user to send crafted HTTP requests to localhost. This can be leveraged to execute commands on behalf of the versa user, who has sudo privileges, potentially leading to privilege escalation or remote code execution. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.

AI-Powered Analysis

AILast updated: 06/19/2025, 00:02:32 UTC

Technical Analysis

CVE-2025-23172 is a high-severity vulnerability affecting the Versa Director SD-WAN orchestration platform, specifically versions 21.2.2 through 22.1.4. The vulnerability arises from the Webhook feature, which is designed to send notifications to external HTTP endpoints. The flaw lies in the "Add Webhook" and "Test Webhook" functionalities, which can be exploited by an authenticated user to send crafted HTTP requests to the localhost interface. This abuse enables the attacker to execute arbitrary commands on the system with the privileges of the 'versa' user. Since the 'versa' user has sudo privileges, this can lead to privilege escalation or remote code execution on the underlying host. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based, allowing remote exploitation. The CVSS v3.1 base score is 7.2, reflecting high impact on confidentiality, integrity, and availability. Although no known exploitation in the wild has been reported, proof-of-concept exploits have been publicly disclosed by third-party researchers. The vendor, Versa Networks, has not identified any workarounds to disable the vulnerable GUI options and recommends upgrading to remediated software versions to mitigate the risk. This vulnerability poses a significant risk because it allows an authenticated user—potentially a low-privilege insider or compromised account—to escalate privileges to root-equivalent access, potentially leading to full system compromise and lateral movement within the network. Given the critical role of Versa Director in SD-WAN orchestration, exploitation could disrupt network management and impact business continuity.

Potential Impact

For European organizations, the impact of CVE-2025-23172 could be substantial, especially for enterprises and service providers relying on Versa Director for SD-WAN orchestration. Successful exploitation could lead to unauthorized command execution with elevated privileges, resulting in full system compromise. This could allow attackers to manipulate network configurations, disrupt SD-WAN operations, intercept or redirect traffic, and potentially pivot to other critical infrastructure components. The confidentiality of sensitive network data could be compromised, integrity of network policies altered, and availability of network services disrupted. Given the increasing reliance on SD-WAN for secure and efficient connectivity across distributed European offices and data centers, such disruptions could affect critical sectors including finance, telecommunications, manufacturing, and government. Additionally, the ability to execute commands as a sudo user increases the risk of deploying persistent malware or ransomware, which could have cascading effects on operational resilience and regulatory compliance, particularly under GDPR and other data protection frameworks. The absence of known active exploitation reduces immediate risk but does not diminish the urgency of patching due to the availability of proof-of-concept exploits.

Mitigation Recommendations

1. Immediate upgrade: Organizations should prioritize upgrading Versa Director to the latest remediated versions provided by Versa Networks, as no effective workarounds exist to disable the vulnerable Webhook GUI features. 2. Access control tightening: Restrict access to the Versa Director management interface strictly to trusted administrators and management networks using network segmentation, VPNs, or zero-trust access controls to reduce the risk of authenticated exploitation. 3. Multi-factor authentication (MFA): Enforce MFA for all users accessing the Versa Director platform to mitigate risks from compromised credentials. 4. Monitoring and logging: Implement enhanced monitoring of Versa Director logs and network traffic for unusual webhook activity or unexpected localhost HTTP requests, which could indicate exploitation attempts. 5. Least privilege review: Audit and minimize the number of users with access to the Webhook configuration features and sudo privileges on the Versa Director host to reduce attack surface. 6. Incident response readiness: Prepare incident response plans specific to SD-WAN orchestration compromise scenarios, including isolating affected systems and forensic analysis. 7. Vendor coordination: Maintain communication with Versa Networks for timely updates and patches, and verify patch integrity before deployment. 8. Network segmentation: Isolate SD-WAN orchestration components from general IT infrastructure to contain potential breaches.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2025-01-12T01:00:00.649Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68534fe133c7acc04607dd6d

Added to database: 6/18/2025, 11:46:41 PM

Last enriched: 6/19/2025, 12:02:32 AM

Last updated: 8/15/2025, 11:51:58 AM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats