#VU103903 Improper authentication in Juniper Networks, Inc. products - CVE-2025-21589

Cybersecurity Help s.r.o.

Published: 2025-02-12

Vulnerability identifier: #VU103903

Vulnerability risk: Critical

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]

CVE-ID: CVE-2025-21589

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Session Smart Router
Server applications / Other server solutions
WAN Assurance Router
Hardware solutions / Routers & switches, VoIP, GSM, etc
Session Smart Conductor
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Juniper Networks, Inc.

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an unspecified error in the authentication process. A remote non-authenticated attacker can bypass authentication and gain administrative access to the device.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Session Smart Router: before 5.6.17

WAN Assurance Router: before 5.6.17

Session Smart Conductor: before 5.6.17

External links
https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Authentication bypass in Juniper Session Smart products