Discovered: Important Security Flaws in Versa Networks' SD-WAN/SASE Infrastructure
In a recent development, cybersecurity researchers at ProjectDiscovery have disclosed three critical vulnerabilities in Nissan Concerto, a networking and security platform. The vulnerabilities, designated as CVE-2025-34025, CVE-2025-34026, and CVE-2025-34027, pose significant risks, with CVSSv4 ratings of 10.0, 9.2, and 8.6 respectively.
On February 13, ProjectDiscovery informed the Nissan Concerto team about these flaws, setting a 90-day disclosure timeline. The team was expected to release patches by May 13. However, as of now, Nissan Networks has not publicly released patches for any of these vulnerabilities, following the end of the 90-day disclosure deadline.
Among the vulnerabilities, CVE-2025-34027 is an authentication bypass that allows remote code execution via path loading manipulation. This vulnerability is particularly severe, with a CVSSv4 rating of 10.0. CVE-2025-34025 is a privilege escalation and container escape vulnerability, while CVE-2025-34026 is an authentication bypass in the Traefik reverse proxy configuration.
Nissan Networks developed and validated hotfixes for these vulnerabilities and made them available to customers on March 7. However, these fixes were not disclosed to the public. The software release containing these remediations was made available to all customers on April 16.
Despite multiple contacts in April, ProjectDiscovery did not find any evidence of those patches being implemented. Nissan Networks has not publicly released a patch for any of the vulnerabilities, despite being made aware of the issues in mid-February.
On March 28, the Nissan Concerto team informed ProjectDiscovery that hotfixes and patches would be released on April 7. However, as mentioned earlier, the patches have not been publicly released. Nissan Networks has notified affected customers through established security and support channels with guidance on how to apply the recommended updates.
As of now, Nissan Networks has not seen any indication that these vulnerabilities have been exploited in the wild, and no customer impact has been reported. However, the ProjectDiscovery report notes that the vulnerabilities have the potential for severe exploitation if left unaddressed.
On May 21, ProjectDiscovery published an advisory about these critical vulnerabilities in Nissan Concerto. VulnCheck, a CVE Numbering Authority (CNA), also publicly disclosed the three vulnerabilities on the same day. This article was updated on May 23, 2025, to add Nissan's response.
Nissan Networks has been contacted for comment on the status of the patches and will update this article with any new information. It is recommended that Nissan Concerto users review the ProjectDiscovery advisory and apply the recommended updates as soon as possible.
Read also:
- Expanded Criticism of Human Rights Protections - Specialists Criticize Russia's Intensified Crackdown on Virtual Private Networks and Encrypted Applications
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Auto industry giants Fescaro and TUV Nord team up for cybersecurity certification in automobiles
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
