C0039: Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.[1]
Analyst context for executives and security teams
This campaign matters because it shows how compromise of a service-provider management platform can become an identity and access risk for many downstream organizations. MITRE describes zero-day exploitation of Versa Director servers controlling SD-WAN applications, focused on credential capture at MSPs and ISPs and followed by deployment of the VersaMem web shell for credential theft and follow-on code execution. For executives and security leaders, the key decision is whether externally reachable network-management systems and provider trust paths are treated as high-risk assets with evidence-ready monitoring, patch governance, and incident response playbooks.
Executive priority
Prioritize this as a service-provider, identity, and network-management risk rather than a narrow appliance issue. Leaders should ask: Which Versa Director or comparable SD-WAN management systems are internet-facing or provider-managed? What credentials, customer environments, or operational network paths could be exposed if those systems are compromised? Can the organization produce audit evidence for vulnerability response, privileged credential rotation, web shell investigation, and provider notification/escalation? The relationship to Volt Typhoon and its documented focus on critical infrastructure makes this especially relevant for resilience planning and cyber-physical risk discussions where network management supports critical operations.
Technical view
ATT&CK links this campaign to Exploit Public-Facing Application, Web Shell, Input Capture, Web Protocols, Non-Application Layer Protocol, Asymmetric Cryptography, Network Devices resource development, and Malware development. SOC and IR teams should validate visibility around Versa Director servers and any equivalent SD-WAN management plane: external exposure, application and administrative logs, file integrity or deployment artifacts for unexpected Java/JAR components, authentication events, credential access indicators, outbound web and non-application-layer communications, and encrypted or unusual C2-like traffic patterns. Because MITRE provides no official detection text for the campaign, local detection engineering should be driven by asset inventory, vendor advisories, known-good baselines, and the related VersaMem behavior.
Likely telemetry
- Internet-facing asset inventory and exposure management records for Versa Director or comparable SD-WAN management systems
- Vulnerability management evidence for CVE-2024-39717 and affected management servers
- Versa Director application, administrative, authentication, and access logs where available
- File creation, modification, package, or deployment telemetry capable of identifying unexpected Java Archive/JAR components or web shell artifacts
- Network flow, proxy, firewall, and DNS telemetry for outbound web-protocol communications from management servers
Detection direction
- Confirm whether the organization has complete inventory and ownership for Versa Director servers, including systems operated by MSPs, ISPs, or other providers on its behalf.
- Tune detections around exploit-after-access outcomes: new or modified server-side components, unexpected JAR files, anomalous administrative sessions, credential capture indicators, and web shell-like request patterns.
- Baseline normal management-server communications before alerting on web protocols alone; HTTP/S traffic can be common and high-volume, so detections should emphasize unusual destinations, timing, user agents, paths, methods, authentication context, and post-exploitation changes.
- Validate visibility for both application-layer and non-application-layer outbound communications from network-management infrastructure, since ATT&CK associates the campaign with both Web Protocols and Non-Application Layer Protocol C2 techniques.
- Treat absence of official MITRE detection guidance as a coverage gap to be closed through vendor logs, EDR/NDR where supported, network controls, and IR-ready forensic procedures.
Mitigation priorities
- Identify and reduce exposure of Versa Director and comparable SD-WAN management interfaces, especially internet-facing systems and provider-administered instances.
- Use vulnerability management to verify status for CVE-2024-39717 across owned and provider-managed environments, retaining evidence for audit and incident review.
- Harden privileged access to SD-WAN management systems, including least privilege, strong authentication where supported, credential rotation after suspected compromise, and review of service/provider accounts.
- Prepare an incident response workflow for management-plane compromise: isolate affected servers, preserve logs and forensic evidence, hunt for web shells or unexpected JAR artifacts, assess credential exposure, and review downstream access paths.
- Require MSP/ISP security attestations or incident notification procedures where provider-managed Versa Director infrastructure could affect the organization.
Analyst notes and limits
The supplied ATT&CK record identifies a 2024 campaign involving zero-day exploitation of Versa Director servers, credential capture at MSPs and ISPs, and delivery of VersaMem. Relationships provide useful defensive framing: public-facing application exploitation for initial access, web shell persistence, input capture for credential theft, and multiple command-and-control patterns. The strongest business implication is third-party management-plane compromise enabling downstream access, especially where SD-WAN administration bridges many customer or operational networks.
MITRE does not provide official detection guidance for this campaign, and the campaign object itself lists no platforms or tactics. Platform references here are limited to related software and technique context, especially Network Devices for VersaMem and several related techniques. This take does not assert current exploitation, customer exposure, or detection coverage. Local asset inventory, vendor guidance, provider information, and forensic evidence are required to determine applicability and response priority.
Versa Director Zero Day Exploitation
Versa Director Zero Day Exploitation was conducted by Volt Typhoon from early June through August 2024 as zero-day exploitation of Versa Director servers controlling software-defined wide area network (SD-WAN) applications. Since tracked as CVE-2024-39717, exploitation focused on credential capture from compromised Versa Director servers at managed service providers (MSPs) and internet service providers (ISPs) to enable follow-on access to service provider clients. Versa Director Zero Day Exploitation was followed by the delivery of the VersaMem web shell for both credential theft and follow-on code execution.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1190 | Exploit Public-Facing Application | Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.CitationLumen Versa 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.CitationLumen Versa 2024 |
| Enterprise | T1584.008 | Network Devices Sub-technique | Versa Director Zero Day Exploitation used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.CitationLumen Versa 2024 |
| Enterprise | T1056 | Input Capture | Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.CitationLumen Versa 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.CitationLumen Versa 2024 |
| Enterprise | T1587.001 | Malware Sub-technique | Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.CitationLumen Versa 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.CitationLumen Versa 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Versa Director Zero Day Exploitation resulted in the deployment of the VersaMem web shell for follow-on activity.CitationLumen Versa 2024 |
Groups, software, and campaigns
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
S1154: VersaMem
VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 162b67489638… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lumen Versa 2024
Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
Open source URL -
[2]
mitre-attack C0039Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.