Skip to main content

CVE-2025-23172

| EUVDEUVD-2025-18671 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2025-06-19 support@hackerone.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18671
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
CVE Published
Jun 19, 2025 - 00:15 nvd
HIGH 7.2

DescriptionCVE.org

The Versa Director SD-WAN orchestration platform includes a Webhook feature for sending notifications to external HTTP endpoints. However, the "Add Webhook" and "Test Webhook" functionalities can be abused by an authenticated user to send crafted HTTP requests to localhost. This can be leveraged to execute commands on behalf of the versa user, who has sudo privileges, potentially leading to privilege escalation or remote code execution.

Exploitation Status:

Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers.

Workarounds or Mitigation:

There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.

AnalysisAI

CVE-2025-23172 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in Versa Director SD-WAN orchestration platform that allows authenticated users with high privileges to abuse the Webhook feature to send crafted HTTP requests to localhost endpoints. This can be exploited to execute arbitrary commands on behalf of the 'versa' user who holds sudo privileges, resulting in potential remote code execution and privilege escalation. While no active exploitation has been reported in the wild, a proof-of-concept has been publicly disclosed, presenting an elevated risk for organizations running vulnerable Versa Director instances.

Technical ContextAI

The vulnerability resides in the Webhook notification feature of Versa Director's HTTP-based orchestration interface (CWE-918: Server-Side Request Forgery). The root cause is insufficient input validation and lack of network boundary enforcement when the 'Add Webhook' and 'Test Webhook' functionalities construct and dispatch HTTP requests. An authenticated administrator can specify arbitrary localhost endpoints (e.g., http://localhost:PORT/endpoint) that may expose local services running with elevated privileges. The 'versa' service user operates with sudo capabilities, meaning successful SSRF exploitation to local privileged services (such as local management APIs, configuration endpoints, or command execution interfaces) can escalate to system-level code execution. This is a classic SSRF-to-RCE chain where the platform's own local architecture becomes the attack surface.

RemediationAI

Versa Networks recommends immediate upgrade to remediated software versions (specific version numbers should be obtained from Versa Networks security advisory). No functional workarounds exist to disable the Webhook GUI feature, so patching is mandatory for full remediation. Interim compensating controls: (1) Restrict administrative access to Versa Director console via strong access controls and multi-factor authentication; (2) Implement network segmentation to limit outbound HTTP requests from Versa Director to approved external endpoints only, blocking localhost and internal service routes; (3) Monitor and audit all Webhook configuration changes and test activities for anomalous localhost-targeting requests; (4) Disable or restrict the Test Webhook functionality through role-based access control if the Director platform supports granular permission controls; (5) Implement intrusion detection rules to alert on HTTP requests from Versa Director processes targeting localhost addresses. Contact Versa Networks directly or check their security portal for specific patched version availability and upgrade timelines.

Share

CVE-2025-23172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy