CVE-2025-23168

Name of the Vulnerable Software and Affected Versions Versa Director versions (affected versions not specified)

Description The Versa Director SD-WAN orchestration platform has a security issue with its Two-Factor Authentication (2FA) system. The platform accepts untrusted user input when sending 2FA codes, allowing an attacker who knows a valid username and password to redirect the One-Time Passcode (OTP) delivery to their own device. Additionally, the 2FA system does not properly limit the number of login attempts, and OTP values are generated from a relatively small keyspace, making brute-force attacks more feasible. The OTP/TOTP codes are not invalidated after use, enabling an attacker to reuse a previously intercepted or obtained valid code. There are no reported instances of this issue being exploited, but a proof of concept has been disclosed by third-party security researchers.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.