A fresh set of zero-day vulnerabilities has stirred up concerns across the cybersecurity world — and especially inside the tightly-controlled networks of global telecom providers.
Security researchers recently uncovered three major security bugs in Concerto, a tool used by Versa Networks, a company that supplies core network tech to some of the largest telecom operators in the world. The bugs were serious enough to potentially let hackers take full control of affected systems, and the worst part? The affected platforms were, in some cases, sitting wide open on the internet.
Small Exposure, Massive Stakes
The vulnerabilities weren’t exactly widespread. According to the team at ProjectDiscovery, only a few dozen organizations had instances of Versa Concerto exposed to the open web. Still, that small number had outsized impact.
Why? Because these weren’t average companies — they were major telcos.
Rahul Maini, one of the researchers involved in the discovery, explained that many of the exposed systems had privileged links to Versa Director servers. That gave potential attackers not just access to one piece of the puzzle, but to the control hub of a vast software-defined networking (SD-WAN) environment.
Some of those exposed systems even stored plaintext passwords for things like Active Directory and internal proxies.
A Look at the Three Vulnerabilities
Each of the three bugs had its own flavor of danger — and each offered a different attack path.
• CVE-2025-34025: A misconfiguration inside a Docker container allowed privilege escalation and container escape. Score: 8.6
• CVE-2025-34026: A flaw in how Concerto validated IP headers allowed attackers to bypass authentication and access sensitive endpoints. Score: 9.2
• CVE-2025-34027: The most complex — a chained attack exploiting a race condition, upload vulnerability, and TOCTOU bug to trigger remote code execution. Score: 10.0
It’s rare to see a perfect 10 on the CVSS scale. This one earned it.
A Perfect Storm of Exposure
What made this even scarier was how each bug fed into the next. The second vulnerability (CVE-2025-34026) allowed access to protected endpoints. Once in, attackers could then abuse the third bug (CVE-2025-34027) to push and execute their own code.
It wasn’t just an open door — it was a clear runway.
And although not every client ran Concerto in an exposed fashion, those that did often had minimal segmentation between Concerto and other internal systems. One misstep, one phishing campaign, or even one lazy password could’ve been enough to let someone fly under the radar for months.
Patch Arrives — But Communication Falters
Versa Networks says it acted quickly. The company told Dark Reading that it had issued a hotfix as early as March 7, and followed up with a full patched release on April 16.
Still, there was confusion.
ProjectDiscovery had initially claimed — incorrectly — that no fix had been issued. Communication between researchers and Versa apparently broke down sometime between April and May. This misstep could’ve led some customers to believe they were still vulnerable.
Versa later clarified that all affected customers had been notified through their usual support channels. It’s now up to the customers to actually install the fixes.
Some haven’t.
Why Versa Was Always a High-Value Target
Versa Networks isn’t a household name, but it’s a powerhouse in the networking space.
Founded in 2012, the company has raised nearly $200 million and built a reputation as a go-to vendor for SASE (Secure Access Service Edge) solutions — especially in the telecom sector.
And that reputation has also drawn attention from less friendly parties.
In 2023, Chinese state-sponsored threat group Volt Typhoon exploited another flaw in Versa Director — Concerto’s management platform sibling — to access sensitive internal systems. The intrusion was eventually traced back, but it underscored how vulnerable critical infrastructure could be.
Now with these new vulnerabilities exposed (and patched), the stakes are once again front and center.
The Numbers Don’t Lie
To get a sense of how significant these vulnerabilities were, let’s lay out the scores:
| CVE ID | Severity | CVSS Score | Attack Type | Potential Impact |
|---|---|---|---|---|
| CVE-2025-34025 | High | 8.6 | Privilege Escalation | Host system compromise |
| CVE-2025-34026 | Critical | 9.2 | Authentication Bypass | Access to credentials & tokens |
| CVE-2025-34027 | Critical | 10.0 | Remote Code Execution | Full system takeover |
It’s no exaggeration — this was about as bad as it gets.
Risk Isn’t Over Until Everyone Patches
Versa insists that “many customers have already upgraded.” That’s good news. But it also leaves a troubling open-ended question: how many haven’t?
Security teams often struggle to roll out patches, especially in telecom, where even small outages can trigger millions in losses. There’s a tendency to delay updates until a clear and present danger emerges.
But in cases like this, the danger was already knocking.
No confirmed exploitation has occurred so far — that much is true. But given the value of the targets involved, it might just be a matter of time before someone tries again.
