Versa Networks
,

Patch now! Zero-day used to target ISPs and MSPs

A patch is now available for a high severity vulnerability in Versa Director that can be used to compromise ISPs, MSPs and their customers.

Versa Networks is warning customers to patch a high severity vulnerability in its Versa Director software that has been exploited by an Advanced Persistent Threat (APT) actor. CISA has also issued an advisory about the vulnerability, and added it to its known exploited vulnerabilities catalog.

The flaw, CVE-2024-39717, is a privilege escalation vulnerability (TA0004) that affects all Versa SD-WAN customers using Versa Director versions older than 22.1.4. It allows users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges to upload malicious files that could be used to compromise a vulnerable system.

According to the CVE description, Versa Director allows users to customize the look and feel of its user interface, which includes an option to upload an alternative favicon image file. Threat actors who successfully authenticate with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges can upload a malicious file with a .png extension. CISA reports that an attacker “could exploit this vulnerability to take control of an affected system.”

However, the potential damage extends beyond a single compromised system. A breach in a Versa Director instance puts an attacker in a position of control over network infrastructure, and gives them a vantage point from which to observe or attack an MSP’s or ISP’s customers.

The vulnerability was discovered by researchers at Lumen, who say it was used to install a web shell (a type of backdoor) called “VersaMem.” The backdoor was used to load additional malicious code, and to intercept and harvest credentials that could give attackers access to an ISP’s or MSP’s customers’ networks.

At the time of discovery, the bug was a zero-day vulnerability. While Versa confirms it was used in “at least one known instance by an Advanced Persistent Threat actor,” Lumen reports that it was used as early as June 12, 2024, and has so far identified four victims in the US, and one outside the US. It attributes the activities to a pair of state-sponsored APT groups out of China—Volt Typhoon and Bronze Silhouette—with moderate confidence.

Volt Typhoon was first identified in 2023 and is known for targeting US critical infrastructure. Bronze Silhouette has been active since at least 2018 and is known primarily for targeting Southeast Asian and South Asian government and defense organizations. Both groups focus on espionage and intelligence gathering in support of China’s geopolitical objectives.

While it was still a zero-day, the vulnerability was probably only known to these two nation-state threat actors. Now that it is public knowledge, the flaw is likely to be of interest to a wider group of criminals, including big game ransomware gangs, who may see it as a way to compromise and ransom an MSP’s entire customer base.

According to Lumen, the threat actors were able to gain access to vulnerable Versa Director instances through an exposed management port (port 4566). The Versa advisory confirms this by taking the unusual step of calling out some of the company’s customers for not setting up their products correctly, saying “impacted customers failed to implement system hardening and firewall guidelines … leaving a management port exposed.” 

The flaw is fixed in version 22.1.4 of Versa Director.

Versa advises that customers follow its firewall guidelines and system hardening best practices before upgrading to a remediated version of its software. It also advises that once a system is no longer vulnerable to exploitation, customers check Versa Director’s /var/versa/vnms/web/custom_logo/ directory for suspicious uploads.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.