{"uuid": "b45703d4-11a4-4f18-a2f4-8929ea2f08d2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "2025-02: Out-of-Cycle Security Bulletin: Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass Vulnerability (CVE-2025-21589)", "description": "This issue affects Session Smart Router, Session Smart Conductor, WAN Assurance Managed Router.\nSeverity\nCritical\nSeverity Assessment (CVSS) Score\n\nCVSS: v3.1: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) SEVERITY:CRITICAL\nCVSS: v4.0: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) SEVERITY:CRITICAL\nProblem\n\nAn Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device.\n\n \n\nThis issue affects Session Smart Router: \n\n    from 5.6.7 before 5.6.17, \n    from 6.0.8,\n    from 6.1 before 6.1.12-lts, \n    from 6.2 before 6.2.8-lts, \n    from 6.3 before 6.3.3-r2; \n\nThis issue affects Session Smart Conductor: \n\n    from 5.6.7 before 5.6.17, \n    from 6.0.8,\n    from 6.1 before 6.1.12-lts, \n    from 6.2 before 6.2.8-lts, \n    from 6.3 before 6.3.3-r2; \n\nThis issue affects WAN Assurance Managed Routers: \n\n    from 5.6.7 before 5.6.17, \n    from 6.0.8,\n    from 6.1 before 6.1.12-lts, \n    from 6.2 before 6.2.8-lts, \n    from 6.3 before 6.3.3-r2.\n\n \n\nJuniper SIRT is not aware of any malicious exploitation of this vulnerability.\nThis issue was found during internal product security testing or research\nSolution\n\nThe following software releases have been updated to resolve this issue:\n\n\nSession Smart Router: SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2 and subsequent releases.\n\n\nIt is suggested to upgrade all affected systems to one of these versions of software. In a Conductor-managed deployment, it is sufficient to upgrade only the Conductor nodes and the fix will be applied automatically to all connected routers. As practical, the routers should still be upgraded to a fixed version however they will not be vulnerable once they connect to an upgraded Conductor. Router patching can be confirmed once the router reaches the \u201crunning\" (on 6.2 and earlier) or \u201csynchronized\u201d (on 6.3+) state on the Conductor\".\n \n\nThis vulnerability has been patched automatically on devices that operate with WAN Assurance (where configuration is also managed) connected to the Mist Cloud. As practical, the routers should still be upgraded to a version containing the fix.\n\nIt is important to note that when the fix is applied automatically on routers managed by a Conductor or on WAN assurance, it will have no impact on data-plane functions of the router. The application of the fix is non-disruptive to production traffic. There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs. \n\n \n\nThis issue is being tracked as I95-59677.\n\nNote: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).\nWorkaround\n\nThere are no known workarounds for this issue.\nSeverity Assessment\nInformation for how Juniper Networks uses CVSS can be found at KB 16446 \"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories.\"\nModification History\n\n2024-02-11: Initial Publication\n\nRelated Information\n\n    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process\n    KB16765: In which releases are vulnerabilities fixed?\n    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories\n    Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team\n\n", "description_format": "markdown", "vulnerability": "ncsc-2025-0062", "creation_timestamp": "2025-02-19T16:52:08.947558+00:00", "timestamp": "2025-02-19T16:52:08.947558+00:00", "related_vulnerabilities": [], "meta": [{"tags": ["vulnerability:exploitability=documented"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}