Waiting for security update: Versa Concerto is severely wounded
Several vulnerabilities threaten the Versa Concerto orchestration platform. Malicious code attacks are possible.
(Image: Sashkin/Shutterstock.com)
Attackers can exploit three security vulnerabilities in Versa Concerto and completely compromise systems. No security patches have been released to date.
When will the updates be released?
Admins use the Versa Concerto orchestration platform to manage services with Versa Operating System (VOS), among other things. If attackers successfully exploit the gaps, they can execute their code and gain full control over systems.
Security researchers from ProjectDiscovery have discovered the vulnerabilities. They have compiled their findings in an article. They state that they first contacted the developers about the security problems in February of this year. At the end of March, security updates were promised for April. However, according to the researchers, these have not yet been released. It is still unclear when they will be released. The answer to an inquiry from heise Security is still pending.
Videos by heise
The dangers
If attackers successfully exploit the gaps, they can bypass authentication, gain higher user rights and execute malicious code. According to the security researchers, a combination of vulnerabilities is possible to fully compromise the application and the underlying host system. Two vulnerabilities are considered “critical” (CVE-2025-34026, CVE-2025-34027). The latter is even classified with the highest possible CVSS score of 10 out of 10. For the third vulnerability (CVE-2025-34025), the threat level is “high”.
They describe the vulnerabilities in detail in their report. They also provide information on how admins can temporarily protect their systems from the attacks described until the updates are released. Among other things, they need to create a rule to block certain headers.
(des)
