Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The Versa Director SD-WAN orchestration platform includes a Webhook feature for sending notifications to external HTTP endpoints. However, the "Add Webhook" and "Test Webhook" functionalities can be abused by an authenticated user to send crafted HTTP requests to localhost. This can be leveraged to execute commands on behalf of the versa user, who has sudo privileges, potentially leading to privilege escalation or remote code execution.
Exploitation Status:
Versa Networks is not aware of any reported instance where this vulnerability was exploited. Proof of concept for this vulnerability has been disclosed by third party security researchers.
Workarounds or Mitigation:
There are no workarounds to disable the GUI option. Versa recommends that Director be upgraded to one of the remediated software versions.
AnalysisAI
CVE-2025-23172 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in Versa Director SD-WAN orchestration platform that allows authenticated users with high privileges to abuse the Webhook feature to send crafted HTTP requests to localhost endpoints. This can be exploited to execute arbitrary commands on behalf of the 'versa' user who holds sudo privileges, resulting in potential remote code execution and privilege escalation. While no active exploitation has been reported in the wild, a proof-of-concept has been publicly disclosed, presenting an elevated risk for organizations running vulnerable Versa Director instances.
Technical ContextAI
The vulnerability resides in the Webhook notification feature of Versa Director's HTTP-based orchestration interface (CWE-918: Server-Side Request Forgery). The root cause is insufficient input validation and lack of network boundary enforcement when the 'Add Webhook' and 'Test Webhook' functionalities construct and dispatch HTTP requests. An authenticated administrator can specify arbitrary localhost endpoints (e.g., http://localhost:PORT/endpoint) that may expose local services running with elevated privileges. The 'versa' service user operates with sudo capabilities, meaning successful SSRF exploitation to local privileged services (such as local management APIs, configuration endpoints, or command execution interfaces) can escalate to system-level code execution. This is a classic SSRF-to-RCE chain where the platform's own local architecture becomes the attack surface.
RemediationAI
Versa Networks recommends immediate upgrade to remediated software versions (specific version numbers should be obtained from Versa Networks security advisory). No functional workarounds exist to disable the Webhook GUI feature, so patching is mandatory for full remediation. Interim compensating controls: (1) Restrict administrative access to Versa Director console via strong access controls and multi-factor authentication; (2) Implement network segmentation to limit outbound HTTP requests from Versa Director to approved external endpoints only, blocking localhost and internal service routes; (3) Monitor and audit all Webhook configuration changes and test activities for anomalous localhost-targeting requests; (4) Disable or restrict the Test Webhook functionality through role-based access control if the Director platform supports granular permission controls; (5) Implement intrusion detection rules to alert on HTTP requests from Versa Director processes targeting localhost addresses. Contact Versa Networks directly or check their security portal for specific patched version availability and upgrade timelines.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18671