Detect Versa Concerto Improper Authentication (CVE-2025-34026) in Splunk
Detects exploitation attempts targeting CVE-2025-34026, an improper authentication vulnerability (CWE-288) in Versa Concerto SD-WAN orchestration platform. This vulnerability allows attackers to bypass authentication controls, potentially enabling unauthorized access to the Concerto management interface. Listed as a CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
SPL Detection Query
index=network OR index=web OR index=proxy sourcetype IN ("iis", "apache:access", "nginx:access", "pan:traffic", "cisco:asa")
| where match(host, "(?i)(concerto|versa|sd-wan)")
OR match(dest_host, "(?i)(concerto|versa|sd-wan)")
OR match(url, "(?i)(concerto|versa)")
| eval protected_path=if(match(uri_path, "(?i)(/api/|/auth|/admin|/management|/login)"), 1, 0)
| eval auth_bypass=case(
protected_path=1 AND status=200 AND (user="-" OR isnull(user) OR user="anonymous"), "unauth_success",
protected_path=1 AND status IN (200, 302) AND method="GET" AND match(uri_path, "(?i)/auth"), "auth_bypass_get",
protected_path=1 AND status=200 AND (src_ip!="" AND NOT match(src_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)")) , "external_unauth_access",
true(), "normal"
)
| where auth_bypass!="normal"
| stats count AS attempt_count, values(uri_path) AS accessed_paths, values(method) AS http_methods, dc(src_ip) AS unique_src_ips BY _time, src_ip, dest_ip, host, auth_bypass, status, user
| where attempt_count > 0
| sort -attempt_countDetects authentication bypass patterns on Versa Concerto hosts by identifying successful HTTP responses to protected endpoints from unauthenticated or anonymous sessions. Particularly flags external IP access to management endpoints.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Internal monitoring and health-check tools accessing Concerto API endpoints
- Legitimate administrative sessions where user field is not populated in logs
- Load balancer health checks that appear as anonymous requests
- API integrations using token-based auth that does not populate user field in web logs
Other platforms for CVE-2025-34026
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated GET to Versa Concerto API Endpoint
Expected signal: HTTP access log on Concerto server showing GET /api/v1/system/info with source IP of test host, status 200, and empty/anonymous username field. Network flow showing connection to port 443.
- Test 2Authentication Bypass Probe via Malformed Auth Header
Expected signal: Series of HTTP requests to multiple protected paths logged on Concerto host. Network proxy logs showing path enumeration pattern from single source IP within short time window.
- Test 3Post-Authentication-Bypass Configuration Read
Expected signal: HTTP GET to /api/v1/vnf/inventory logged with 200 response and response body size. DLP or data exfiltration alerts if JSON response contains sensitive topology data. Network flow showing data transfer volume.
- Test 4Concerto Admin User Creation via Unauthenticated API
Expected signal: HTTP POST to /api/v1/users logged. Concerto audit log entry for user creation event. If successful, new user visible in Concerto user management interface.
Unlock Pro Content
Get the full detection package for CVE-2025-34026 including response playbook, investigation guide, and atomic red team tests.