Juniper Networks has released security updates to address critical security flaws affecting WAN Assurance router products that can be exploited to hijack control of session smart routers, session smart conductors, and susceptible devices. did.
The CVSS V3.1 score for the vulnerability tracked as CVE-2025-21589 is 9.8 and the CVS V4 score is 9.3.
“Authentication bypass smart routers using alternative path or channel vulnerabilities in Juniper Networks sessions may allow network-based attackers to bypass authentication and take control of devices,” the company advises It states.
The vulnerability affects the following products and versions –
Session Smart Router: 6.3 to 6.3-R2 Session Smart Conductor from 6.3 to 6.3 to 6.3 to 6.3 to 6.3 to 6.3 to 6.3 to 6.3 to 6.3 to 6.0.8 to 6.12-LTS, 6.2 before 6.2.8-LTS From 5.6.7 before 5.6.7, from 6.0.8 to 6.1.12-LTS, from 6.2 before 6.2.8-LTS, from 6.3 to 6.3-R2 WAN Assurance Managed Routers: 5.6.7 and before 5.6.17, 6.0.8, from 6.1 before 6.1.12-LTS, from 6.2 before 6.2.8-LTS, from 6.3 before 6.3.3-R2
Juniper Networks said the vulnerability was discovered during internal product security testing and research and is unaware of malicious exploitation.
This defect has been addressed in SSR-5.6.17, SSR-6.1.12-LTS, SSR-6.2.8-LTS, SSR-6.3.3-R2, and then in Session Smart Router versions.
“This vulnerability is automatically patched on devices that run with WAN guarantees (and configurations are also managed) connected to the MIST cloud,” the company added. “As practical, the router still needs to be upgraded to a version with fixes.”
Source link
