CVE-2024-45208: Versa Director SD-WAN RCE Vulnerability

CVE-2024-45208 Overview

CVE-2024-45208 affects the Versa Director SD-WAN orchestration platform, which embeds the Cisco Network Configuration Server (NCS) application service. Active and Standby Directors communicate over TCP ports 4566 and 4570 to exchange High Availability (HA) information using a shared password. Affected versions bind these ports on all interfaces, exposing the NCS service to any attacker with network reachability to the Director. An attacker who can reach port 4566 can invoke administrative actions on the NCS service and achieve remote code execution on the Director host.

Critical Impact

Network-reachable attackers can abuse the exposed HA port to perform unauthorized administrative operations and execute arbitrary code on Versa Director, compromising the SD-WAN control plane.

Affected Products

• Versa Director releases prior to 21.2.3
• Versa Director releases prior to 22.1.2, 22.1.3, and 22.1.4
• Deployments exposing TCP ports 4566 and 4570 on untrusted interfaces

Discovery Timeline

• 2025-06-19 - CVE-2024-45208 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-45208

Vulnerability Analysis

Versa Director runs a Cisco NCS-based service to coordinate Active and Standby nodes for High Availability. The HA channel listens on TCP 4566 and 4570 and authenticates peers using a shared password. The defect, classified as Improper Access Control [CWE-284], is that the listener binds to all interfaces rather than the dedicated HA interface. Any host able to reach the Director on 4566 can interact with the NCS administrative interface.

Once connected, an attacker can issue administrative NCS commands. These commands include configuration changes and operations that lead to arbitrary code execution on the underlying operating system. Versa Networks reports no observed exploitation, but third-party researchers have published proof-of-concept code demonstrating the attack path.

Root Cause

The root cause is an interface binding misconfiguration combined with reliance on a shared static password for the HA channel. The NCS listener should be restricted to the HA management network. Instead, it accepts connections from any reachable interface, transforming an internal HA protocol into an external attack surface.

Attack Vector

The attack is network-based, requires no authentication, and no user interaction. An attacker with TCP reachability to port 4566 on a vulnerable Versa Director appliance connects to the NCS service, exercises its administrative commands, and pivots to remote code execution as the Director service account. From there, the attacker controls the SD-WAN orchestration plane, including tenant configurations and downstream devices.

No verified exploit code is published in NVD. Refer to the Versa Networks HA Port Exploit Discovery and Remediation article for technical indicators and exploitation context.

Detection Methods for CVE-2024-45208

Indicators of Compromise

• Inbound TCP connections to ports 4566 or 4570 on Versa Director from any host outside the dedicated HA interface or peer Director
• Unexpected NCS administrative actions logged on the Director, including configuration commits or CLI invocations not tied to authenticated operator sessions
• New or modified user accounts, SSH keys, or scheduled tasks on the Director appliance
• Outbound connections from the Director to unknown infrastructure following access to port 4566

Detection Strategies

• Inspect netstat and firewall logs for listeners on 4566 and 4570 bound to 0.0.0.0 rather than the HA interface address
• Correlate Director syslog and NCS audit logs against authenticated operator activity to surface unattributed administrative actions
• Deploy network detection rules that alert on connections to 4566/4570 sourced outside the HA subnet
• Run the discovery steps in the Versa Networks HA Port Exploit Remediation article to confirm whether prior exploitation occurred

Monitoring Recommendations

• Continuously monitor process execution on the Director for shells or interpreters spawned by NCS service accounts
• Capture and retain full packet metadata on management VLANs serving Versa Director for retrospective analysis
• Alert on configuration drift in tenant policies, routing, and credential stores that may indicate orchestration plane abuse

How to Mitigate CVE-2024-45208

Immediate Actions Required

• Upgrade Versa Director to 21.2.3, 22.1.2, 22.1.3, 22.1.4, or later as appropriate for your release train
• Apply the firewall and binding changes in the Versa Networks Manual Hardening Guide to restrict ports 4566 and 4570 to the HA interface
• Audit the Director for indicators described in the HA Port Exploit Remediation article and rotate credentials if compromise is suspected

Patch Information

Versa Networks addressed the issue in Director releases 21.2.3, 22.1.2, 22.1.3, and 22.1.4. See the Release 21.2.3 notes, Release 22.1.2 notes, Release 22.1.3 notes, and Release 22.1.4 notes for upgrade details. Customer guidance is summarized in the Versa Networks Email Bulletin.

Workarounds

• Restrict the NCS HA listener to the dedicated HA interface address rather than 0.0.0.0
• Block TCP 4566 and 4570 at the host firewall (iptables/nftables) for all sources except the peer Director
• Place Versa Director management and HA traffic on an isolated network segment with no operator or tenant reachability
• Rotate the HA shared password after applying patches and hardening

# Example host firewall rule restricting NCS HA ports to the peer Director only
sudo iptables -A INPUT -p tcp --dport 4566 -s <peer_director_ip> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 4570 -s <peer_director_ip> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 4566 -j DROP
sudo iptables -A INPUT -p tcp --dport 4570 -j DROP