Authorization bypass flaw in Juniper Security Director enables access to sensitive resources

Juniper Networks has patched a critical security flaw in its Security Director network security management platform that could allow unauthenticated attackers to read or tamper with sensitive resources and compromise downstream managed devices. 

Security Director provides automated enforcement and policy orchestration that allows updated security policies to deploy across Juniper SRX firewalls, EX Series switches, QFX series switches, MX series routers, and third-party network devices.

The vulnerability is tracked as CVE-2025-52950 (CVSS v3.1 score 9.6) - Missing Authorization for Critical Functions in Juniper Security Director. The issue is caused from numerous endpoints on the Security Director appliance that fail to properly validate authorization levels, potentially exposing sensitive information to unauthorized users.

The vulnerability allows attackers to access data that is outside their authorized permission levels, potentially enabling them to gain access to additional information or perpetrate other attacks that could impact downstream managed network devices and security infrastructure.

The issue is tracked internally by Juniper under multiple ticket numbers: SB-14875, SB-15264, SB-15265, SB-15266, SB-15267, SB-15268, and SB-15269, possibly because of multiple endpoints suffering from the same flaw.

Juniper Networks has released Security Director Software Bundle Update 24.4.1-1703 to patch this flaw. 

Organizations using Juniper Security Director should implement access controls to restrict web interface access to trusted hosts, verify their current software version, prioritize updating to Security Director Software Bundle Update 24.4.1-1703 or later versions.