EUVD-2024-54691
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The Versa Director SD-WAN orchestration platform which makes use of Cisco NCS application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information using a shared password. Affected versions of Versa Director bound to these ports on all interfaces. An attacker that can access the Versa Director could access the NCS service on port 4566 and exploit it to perform unauthorized administrative actions and perform remote code execution. Customers are recommended to follow the hardening guide. Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers.
Analysis
Critical remote code execution vulnerability in Versa Director SD-WAN orchestration platform affecting the Cisco NCS application service bound to TCP ports 4566 and 4570. An unauthenticated network attacker can exploit weak HA authentication mechanisms to gain unauthorized administrative access and execute arbitrary code with CVSS 9.8 severity. While no active exploitation has been confirmed, third-party proof-of-concept code has been publicly disclosed, significantly elevating real-world risk.
Technical Context
Versa Director implements High Availability (HA) clustering between Active and Standby Director instances using shared password-based authentication over TCP ports 4566 and 4570 for synchronization of HA state information. The vulnerability resides in the Cisco NCS (Network Control System) application service integrated within Versa Director. The root cause is CWE-284 (Improper Access Control / Insufficient Access Control), where authentication and authorization mechanisms fail to adequately protect the NCS service endpoints. The shared password mechanism and binding to all interfaces (0.0.0.0) without network segmentation creates an exploitable attack surface. An attacker with network access to these ports can bypass authentication, access the NCS service, and leverage administrative interfaces to execute arbitrary commands with system privileges.
Affected Products
Versa Director SD-WAN Orchestration Platform—specific version range not disclosed in provided data but described as 'affected versions.' Based on description, all Versa Director installations running vulnerable versions that bind NCS service to ports 4566 and 4570 are susceptible. The vulnerability affects the integrated Cisco NCS application service component. CPE would be structured as: cpe:2.3:a:versa_networks:versa_director:*:*:*:*:*:*:*:* (version range to be confirmed via vendor advisory). Deployment configurations with ports 4566/4570 exposed to untrusted networks represent highest risk; internal-only deployments with network segmentation have reduced but non-zero risk.
Remediation
Immediate actions: (1) Consult Versa Networks official security advisory for patched version availability and deployment timeline; (2) As interim mitigation, implement network-level access controls restricting TCP ports 4566 and 4570 to authorized HA peer IP addresses only—bind NCS service to specific internal interface IPs rather than 0.0.0.0; (3) Deploy firewall rules limiting access to these ports from trusted HA partner systems; (4) If immediate patching unavailable, isolate affected Versa Director instances to internal-only networks pending patch availability; (5) Review HA password strength and consider forcing HA re-authentication post-incident. Versa Networks hardening guide (referenced in description) should be consulted for defense-in-depth configuration. Once vendor patches released, apply immediately to all affected Versa Director instances. Verify patch deployment by confirming NCS service accessibility is restricted post-update.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today