EUVD-2025-18668
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The Versa Director SD-WAN orchestration platform provides an option to upload various types of files. The Versa Director does not correctly limit file upload permissions. The UI appears not to allow file uploads but uploads still succeed. In addition, the Versa Director discloses the full filename of uploaded temporary files, including the UUID prefix. Insecure UCPE image upload in Versa Director allows an authenticated attacker to upload a webshell. Exploitation Status: Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers. Workarounds or Mitigation: There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.
Analysis
CVE-2025-23171 is an insecure file upload vulnerability in Versa Director SD-WAN orchestration platform that allows authenticated attackers with high privileges to upload malicious files (including webshells) despite UI restrictions, due to improper file upload permission validation. The vulnerability affects Versa Director and carries a CVSS score of 7.2 (High); while no active exploitation has been reported, proof-of-concept code has been publicly disclosed by third-party researchers, creating moderate real-world risk for organizations running affected versions.
Technical Context
The vulnerability stems from CWE-434 (Unrestricted Upload of File with Dangerous Type), a common weakness where server-side upload controls fail to properly validate or restrict file types and permissions. Versa Director's file upload functionality—intended for legitimate configuration and image management—lacks sufficient server-side validation to enforce the UI-level restrictions that appear to block certain uploads. Additionally, the platform discloses temporary file names including UUID prefixes, enabling attackers to locate and potentially interact with uploaded files. The root cause involves insufficient access control checks on the upload endpoint, allowing authenticated high-privilege users to circumvent intended restrictions and upload executable content (webshells) to the orchestration platform.
Affected Products
Versa Director SD-WAN orchestration platform (vendor: Versa Networks). Specific version ranges are not detailed in the provided description; however, Versa Networks advisory would identify vulnerable versions. The vulnerability specifically affects UCPE (Unified CPE) image upload functionality within Director. Affected CPE would be: cpe:2.3:a:versa:director:*:*:*:*:*:*:*:* (with version constraints from vendor advisory). Organizations should consult Versa Networks' official security advisory for exact version boundaries and remediated versions.
Remediation
Versa Networks recommends immediate upgrade to remediated software versions of Versa Director; however, specific version numbers are not provided in the supplied data. Organizations should: (1) Access Versa Networks security advisory for exact patched version numbers; (2) Schedule urgent patching of Versa Director instances, prioritizing production orchestration platforms; (3) In interim, implement network-level access controls to restrict administrative access to Director; (4) Audit recent file uploads and check for suspicious webshell artifacts (note: uploaded filenames with UUID prefixes are logged, aiding forensics); (5) Review Director access logs for unauthorized upload attempts. No configuration workarounds exist to disable the vulnerable upload functionality via GUI, so patching is mandatory for remediation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today