Juniper Session Smart routers have a critical flaw, so patch now

News
By
published

Bug could allow crooks to take over the devices

Cyber-security
(Image credit: Getty Images)
  • Juniper Networks says it found a critical flaw during internal testing
  • Session Smart routers bug has a 9.8 severity score and allows full device takeover
  • A patch is already available, so update now

Juniper Networks just released a patch for a critical vulnerability that allowed threat actors to take over Session Smart Routers (SSR).

In a security advisory, the company said that during internal testing, it discovered CVE-2025-21589, an authentication bypass vulnerability with a severity score of 9.8/10 (critical). This issue affects Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router - the affected endpoints include:

Session Smart Router:

from 5.6.7 before 5.6.17,
from 6.0.8,
from 6.1 before 6.1.12-lts,
from 6.2 before 6.2.8-lts,
from 6.3 before 6.3.3-r2;

Session Smart Conductor:

from 5.6.7 before 5.6.17,
from 6.0.8,
from 6.1 before 6.1.12-lts,
from 6.2 before 6.2.8-lts,
from 6.3 before 6.3.3-r2;

WAN Assurance Managed Routers:

from 5.6.7 before 5.6.17,
from 6.0.8,
from 6.1 before 6.1.12-lts,
from 6.2 before 6.2.8-lts,
from 6.3 before 6.3.3-r2.

No workarounds

Juniper said that there are no workarounds for this issue, and that the only way to safeguard the endpoints is to apply the patches: SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2 and subsequent releases.

“In a Conductor-managed deployment, it is sufficient to upgrade only the Conductor nodes and the fix will be applied automatically to all connected routers,” Juniper explained. “As practical, the routers should still be upgraded to a fixed version however they will not be vulnerable once they connect to an upgraded Conductor. Router patching can be confirmed once the router reaches the “running" (on 6.2 and earlier) or “synchronized” (on 6.3+) state on the Conductor".

Devices that operate with WAN Assurance, connected to the Mist Cloud, are automatically updated. The routers should still be upgraded, it was said.

So far, there is no evidence of the flaws being abused in the wild.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
AI deepfake faces

In a test, 2000 people were shown deepfake content, and only two of them managed to get a perfect score
An American flag flying outside the US Capitol building against a blue sky

US military and defense contractors hit with Infostealer malware
Daredevil standing a rooftop at night in Daredevil: Born Again

Daredevil: Born Again has an unusual Disney+ release schedule for a Marvel TV show, but I think I know why
See more latest