CVE-2025-34026 Elastic Security · Elastic

Detect Versa Concerto Improper Authentication (CVE-2025-34026) in Elastic Security

Detects exploitation attempts targeting CVE-2025-34026, an improper authentication vulnerability (CWE-288) in Versa Concerto SD-WAN orchestration platform. This vulnerability allows attackers to bypass authentication controls, potentially enabling unauthorized access to the Concerto management interface. Listed as a CISA KEV, indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where host.name like~ "*concerto*" or host.name like~ "*versa*"
   and url.path like~ "/api/*" or url.path like~ "/auth*" or url.path like~ "/admin*"
   and http.response.status_code in (401, 403)]
  [network where host.name like~ "*concerto*" or host.name like~ "*versa*"
   and url.path like~ "/api/*" or url.path like~ "/auth*" or url.path like~ "/admin*"
   and http.response.status_code == 200
   and (user.name == null or user.name == "-" or user.name == "anonymous")]
critical severity high confidence

EQL sequence detection that identifies a pattern of initial authentication failure followed by a successful unauthenticated access to a protected Versa Concerto endpoint within 5 minutes — a hallmark of authentication bypass exploitation.

Data Sources

Elastic SIEMFilebeatPacketbeatElastic Agent

Required Tables

logs-*filebeat-*packetbeat-*

False Positives & Tuning

  • Retry logic in client applications that may legitimately succeed after an initial 401
  • Session expiration followed by token refresh resulting in re-authentication
  • Misconfigured applications that generate transient 401s before successful auth
  • Security scanners performing authentication testing

Other platforms for CVE-2025-34026

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated GET to Versa Concerto API Endpoint

    Expected signal: HTTP access log on Concerto server showing GET /api/v1/system/info with source IP of test host, status 200, and empty/anonymous username field. Network flow showing connection to port 443.

  2. Test 2Authentication Bypass Probe via Malformed Auth Header

    Expected signal: Series of HTTP requests to multiple protected paths logged on Concerto host. Network proxy logs showing path enumeration pattern from single source IP within short time window.

  3. Test 3Post-Authentication-Bypass Configuration Read

    Expected signal: HTTP GET to /api/v1/vnf/inventory logged with 200 response and response body size. DLP or data exfiltration alerts if JSON response contains sensitive topology data. Network flow showing data transfer volume.

  4. Test 4Concerto Admin User Creation via Unauthenticated API

    Expected signal: HTTP POST to /api/v1/users logged. Concerto audit log entry for user creation event. If successful, new user visible in Concerto user management interface.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-34026 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1021Remote ServicesT1556Modify Authentication Process

Same Tactic: Initial Access

Popular Detections