How to fix CVE-2025-23172?

Within 24 hours: Inventory all Versa Director deployments and restrict administrative access to authorized personnel only. Within 7 days: Implement network segmentation to limit Director's ability to communicate with internal services and localhost; disable webhook features if operationally feasible; enable enhanced logging of webhook activities. Within 30 days: Upgrade to a patched Versa Director version once available; conduct security review of all webhook configurations and user access logs for suspicious activity.

CVE-2025-23172

EUVD-2025-18671 HIGH

2025-06-19 [email protected]

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18671

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

CVE Published

Jun 19, 2025 - 00:15 nvd

HIGH 7.2

Description

The Versa Director SD-WAN orchestration platform includes a Webhook feature for sending notifications to external HTTP endpoints. However, the "Add Webhook" and "Test Webhook" functionalities can be abused by an authenticated user to send crafted HTTP requests to localhost. This can be leveraged to execute commands on behalf of the versa user, who has sudo privileges, potentially leading to privilege escalation or remote code execution. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.

Analysis

CVE-2025-23172 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in Versa Director SD-WAN orchestration platform that allows authenticated users with high privileges to abuse the Webhook feature to send crafted HTTP requests to localhost endpoints. This can be exploited to execute arbitrary commands on behalf of the 'versa' user who holds sudo privileges, resulting in potential remote code execution and privilege escalation. While no active exploitation has been reported in the wild, a proof-of-concept has been publicly disclosed, presenting an elevated risk for organizations running vulnerable Versa Director instances.

Technical Context

The vulnerability resides in the Webhook notification feature of Versa Director's HTTP-based orchestration interface (CWE-918: Server-Side Request Forgery). The root cause is insufficient input validation and lack of network boundary enforcement when the 'Add Webhook' and 'Test Webhook' functionalities construct and dispatch HTTP requests. An authenticated administrator can specify arbitrary localhost endpoints (e.g., http://localhost:PORT/endpoint) that may expose local services running with elevated privileges. The 'versa' service user operates with sudo capabilities, meaning successful SSRF exploitation to local privileged services (such as local management APIs, configuration endpoints, or command execution interfaces) can escalate to system-level code execution. This is a classic SSRF-to-RCE chain where the platform's own local architecture becomes the attack surface.

Affected Products

Versa Networks Versa Director SD-WAN Orchestration Platform (specific vulnerable versions not enumerated in provided data, but vendor advisory recommends upgrade to remediated versions). Affected product family: Versa Networks Director (CPE pattern: cpe:/a:versa:director or cpe:/a:versa_networks:director). The vulnerability requires authenticated access, limiting exposure to internal administrators or compromised high-privilege accounts within organizations. No public CVE records specify exact version ranges, indicating that Versa Networks may have issued vendor-specific guidance through security advisories rather than public CVE detail pages.

Remediation

Versa Networks recommends immediate upgrade to remediated software versions (specific version numbers should be obtained from Versa Networks security advisory). No functional workarounds exist to disable the Webhook GUI feature, so patching is mandatory for full remediation. Interim compensating controls: (1) Restrict administrative access to Versa Director console via strong access controls and multi-factor authentication; (2) Implement network segmentation to limit outbound HTTP requests from Versa Director to approved external endpoints only, blocking localhost and internal service routes; (3) Monitor and audit all Webhook configuration changes and test activities for anomalous localhost-targeting requests; (4) Disable or restrict the Test Webhook functionality through role-based access control if the Director platform supports granular permission controls; (5) Implement intrusion detection rules to alert on HTTP requests from Versa Director processes targeting localhost addresses. Contact Versa Networks directly or check their security portal for specific patched version availability and upgrade timelines.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.6

CVSS: +36

POC: 0

CVE-2025-23172 vulnerability details – vuln.today

Back

CVE-2025-23172

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-23172

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code