CVE-2024-39717

ENISA EUVD: EUVD-2024-38202 ↗

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 5, 2026 3 articles Published: 2024-08-22

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

5.36%

probability

This CVE has a 5.36% probability of being exploited in the next 30 days.

0% Top 90.2th percentile of all CVEs 100%

CVSS v3.0

Source: VulnerabilityLookup (CIRCL)

6.6

MEDIUM

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in.

Affected Products

Versa

Director

21.2.2 21.2.3 before 2024-06-21 22.1.1 22.1.2 before 2024-06-21 22.1.3 before 2024-06-21

versa-networks

versa director

Versa

Director

21.2.2 ≤21.2.2

Versa

Director

22.1.2 before 2024-06-21 ≤22.1.2 before 2024-06-21

Versa

Director

21.2.3 before 2024-06-21 <21.2.3 before 2024-06-21

Versa

Director

22.1.1 ≤22.1.1

Versa

Director

22.1.3 before 2024-06-21 ≤22.1.3 before 2024-06-21

Attack Intelligence

CWE-434 · Unrestricted File Upload CWE-664 · Improper Control of a Resource Through its Lifetime CWE-669 · Incorrect Resource Transfer Between Spheres

https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/

Signal Intelligence

Confidenceⓘ

92%

EPSS 5.36%

CVSS v3.0 6.6

Mentions 3

Last Seen Aug 27, 2024

CNA Information

CNA Assigner

hackerone

Analyst Note

CVE-2024-39717 is explicitly named as a zero-day exploited in the wild by Chinese Volt Typhoon threat actors against ISPs and MSPs. Published August 22, 2024, with confirmed active exploitation documented by reputable sources (BleepingComputer). Versa released a patch in response to active attacks, meeting the zero-day criteria of exploitation preceding or concurrent with patch availability.