Zero-Day Vulnerability in Versa Director Servers: A Closer Look at CVE-2024-39717

A zero-day vulnerability in Versa Director servers has been discovered, highlighting the potential for significant damage even with a relatively low number of exposures. The vulnerability, known as CVE-2024-39717, has been rated as high severity by the NIST National Vulnerability Database and medium severity by HackerOne.

Cyble’s ODIN vulnerability scanning platform found only 31 internet-exposed Versa Director instances, with 16 of them located in the U.S. This is concerning because Versa Director servers are crucial for managing network configurations for Versa’s SD-WAN software, which is widely used by internet service providers (ISPs) and managed service providers (MSPs).

The vulnerability, dubbed “VersaMem,” was discovered by researchers from Lumen’s Black Lotus Labs and has been actively exploited by threat actors targeting ISPs, MSPs, and IT companies. The exploit allows attackers to intercept and harvest credentials, gaining access to downstream customers’ networks as authenticated users.

The attacks have been attributed to Chinese state-sponsored threat actors known as Volt Typhoon and Bronze Silhouette. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the urgency for organizations to take action.

To mitigate the risk, Versa Director users are advised to upgrade to version 22.1.4 or later, apply hardening techniques, and implement firewall rules. Additional recommendations include blocking external access to specific ports, monitoring network traffic for unusual activities, enforcing multi-factor authentication, and regularly auditing user credentials and privilege levels.

It is crucial for organizations to take proactive measures to protect their systems and networks from potential exploitation of this zero-day vulnerability.