Critical Security Flaw in Juniper Session Smart Routers Allows Authentication Bypass

February 18, 2025

Juniper Networks has rolled out security patches to rectify a significant security flaw that affects its Session Smart Router, Session Smart Conductor, and WAN Assurance Router products. If exploited, this vulnerability could enable an attacker to take over control of vulnerable devices. The vulnerability, labelled as CVE-2025-21589, has been given a CVSS v3.1 score of 9.8 and a CVS v4 score of 9.3.

Juniper Networks described the vulnerability as an 'Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router,' which could potentially allow a network-based attacker to bypass authentication and gain administrative control of the device.

The vulnerability affects various products and versions. The company discovered the vulnerability during its internal product security testing and research. Juniper Networks has stated that it is currently unaware of any malicious exploitation of this vulnerability.

The security flaw has been fixed in Session Smart Router versions SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and later. According to the company, 'This vulnerability has been patched automatically on devices that operate with WAN Assurance (where configuration is also managed) connected to the Mist Cloud.' The company further advised that, whenever feasible, routers should still be updated to a version containing the fix.

Latest News

• RedMike Exploits Cisco Vulnerabilities in Global Espionage Campaign
• U.S. CISA Catalogs SimpleHelp Vulnerability as Known Exploited Threat
• RansomHub Emerges as Leading Ransomware Group in 2024, Impacting Over 600 Global Entities
• Targeted Attacks Exploit PostgreSQL Flaw Alongside BeyondTrust Zero-Day Vulnerability
• Critical Remote Code Execution Vulnerability Identified in WinZip: CVE-2025-1240