Versa Concerto Improper Authentication (CVE-2025-34026)

let VersaConcertoHosts = dynamic(["concerto", "versa", "sd-wan"]);
let SuspiciousUAPaths = dynamic(["/api/", "/auth/", "/login", "/admin", "/management"]);
union DeviceNetworkEvents, CommonSecurityLog, W3CIISLog
| where TimeGenerated > ago(24h)
| where (
    (cs_UriStem has_any (SuspiciousUAPaths) and (sc_status in (200, 302) or sc_status between (400 .. 403)))
    or (RequestURL has_any (SuspiciousUAPaths))
  )
| where (
    Computer has_any (VersaConcertoHosts)
    or DestinationHostName has_any (VersaConcertoHosts)
    or DeviceName has_any (VersaConcertoHosts)
  )
| extend AuthBypass = case(
    cs_status == 200 and cs_username == "-" and cs_UriStem has_any ("/api/", "/admin/"), "Unauthenticated access to protected endpoint",
    RequestMethod == "GET" and RequestURL contains "/auth" and EventOutcome == "Success", "Auth bypass via GET",
    "Normal"
  )
| where AuthBypass != "Normal"
| project TimeGenerated, Computer, SourceIP, DestinationIP, RequestURL, cs_UriStem, sc_status, cs_username, AuthBypass, RequestMethod
| order by TimeGenerated desc

index=network OR index=web OR index=proxy sourcetype IN ("iis", "apache:access", "nginx:access", "pan:traffic", "cisco:asa")
| where match(host, "(?i)(concerto|versa|sd-wan)")
  OR match(dest_host, "(?i)(concerto|versa|sd-wan)")
  OR match(url, "(?i)(concerto|versa)")
| eval protected_path=if(match(uri_path, "(?i)(/api/|/auth|/admin|/management|/login)"), 1, 0)
| eval auth_bypass=case(
    protected_path=1 AND status=200 AND (user="-" OR isnull(user) OR user="anonymous"), "unauth_success",
    protected_path=1 AND status IN (200, 302) AND method="GET" AND match(uri_path, "(?i)/auth"), "auth_bypass_get",
    protected_path=1 AND status=200 AND (src_ip!="" AND NOT match(src_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)")) , "external_unauth_access",
    true(), "normal"
  )
| where auth_bypass!="normal"
| stats count AS attempt_count, values(uri_path) AS accessed_paths, values(method) AS http_methods, dc(src_ip) AS unique_src_ips BY _time, src_ip, dest_ip, host, auth_bypass, status, user
| where attempt_count > 0
| sort -attempt_count

sequence by source.ip with maxspan=5m
  [network where host.name like~ "*concerto*" or host.name like~ "*versa*"
   and url.path like~ "/api/*" or url.path like~ "/auth*" or url.path like~ "/admin*"
   and http.response.status_code in (401, 403)]
  [network where host.name like~ "*concerto*" or host.name like~ "*versa*"
   and url.path like~ "/api/*" or url.path like~ "/auth*" or url.path like~ "/admin*"
   and http.response.status_code == 200
   and (user.name == null or user.name == "-" or user.name == "anonymous")]

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  URL,
  username,
  "HTTP Response Code" AS http_status,
  "HTTP Method" AS http_method,
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'Microsoft IIS', 'NGINX', 'Palo Alto Networks Firewall')
  AND (URL IMATCHES '(?i).*(concerto|versa).*'
    OR DEVICENAME IMATCHES '(?i).*(concerto|versa|sd-wan).*')
  AND URL IMATCHES '(?i).*(/(api|auth|admin|management|login)).*'
  AND "HTTP Response Code" = 200
  AND (username IS NULL OR username = '-' OR LOWER(username) = 'anonymous')
  AND LAST 24 HOURS
ORDER BY starttime DESC

_sourceCategory=network/web OR _sourceCategory=proxy OR _sourceCategory=firewall
| where %"cs-host" matches "*concerto*" or %"cs-host" matches "*versa*" or _sourceHost matches "*concerto*" or _sourceHost matches "*versa*"
| parse regex field=_raw "\"(?P<http_method>GET|POST|PUT|DELETE|PATCH|OPTIONS)\s+(?P<uri_path>/[^\s]+)"
| parse regex field=_raw "HTTP/[0-9\.]+\"\s+(?P<status_code>[0-9]{3})"
| parse regex field=_raw "user=(?P<username>[^\s&]+)" nodrop
| where uri_path matches "*/api/*" or uri_path matches "*/auth*" or uri_path matches "*/admin*" or uri_path matches "*/management*"
| where status_code = "200"
| where isBlank(username) or username = "-" or toLowerCase(username) = "anonymous"
| count by _sourceHost, src_ip, uri_path, http_method, status_code, username
| sort by _count desc

rule versa_concerto_auth_bypass_cve_2025_34026 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects authentication bypass exploitation of CVE-2025-34026 in Versa Concerto"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-34026"
    cve = "CVE-2025-34026"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      $e.target.hostname = /(?i)(concerto|versa-concerto|versa)/ or
      $e.target.ip = $target_ip
    )
    (
      $e.network.http.target_url = /(?i)\/(api|auth|admin|management|login)\// or
      $e.network.http.target_url = /(?i)\/(api|auth|admin|management|login)$/
    )
    $e.network.http.response_code = 200
    (
      not $e.principal.user.userid = /\w+/ or
      $e.principal.user.userid = "-" or
      $e.principal.user.userid = "anonymous"
    )

  condition:
    $e
}

#event_simpleName=NetworkConnectIP4
| ExternalNetworkAccess=true OR RemotePort in (80, 443, 8080, 8443)
| TargetAddressIP4 = /(?i)(concerto|versa)/
  OR HttpUrl = /(?i)\/(api|auth|admin|management|login)/
| HttpStatusCode = 200
| (HttpUsername = null OR HttpUsername = "-" OR HttpUsername = "anonymous")
| groupby([RemoteAddressIP4, TargetAddressIP4, HttpUrl, HttpStatusCode, HttpMethod, HttpUsername], function=count())
| rename count() as attempt_count
| sort -attempt_count
| limit 100