Juniper patches critical authentication bypass vulnerability in its Session Smart/Assurance devices

Juniper Networks has reported and patched a critical authentication bypass vulnerability affecting its Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Managed Routers.

The vulnerability is tracked as CVE-2025-21589 (CVSS score 9.8), was discovered during internal product security testing. It enables network-based attackers to bypass authentication mechanisms and gain administrative control of affected devices. According to Juniper's Security Incident Response Team (SIRT), there is currently no evidence of this vulnerability being exploited in the wild. However, given Juniper's history of devices being targeted shortly after patch releases, the risk remains significant.

Affected products have been patched in the following versions: SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and subsequent releases. For systems in a Conductor-managed deployment, upgrading only the Conductor nodes is sufficient as the fix will automatically propagate to connected routers. Additionally, some devices connected to the Mist Cloud have already received automatic patches.

This security incident follows a pattern of vulnerabilities in Juniper devices. In June 2024, the company addressed another SSR authentication bypass (CVE-2024-2973) that could lead to device takeover.

Both Italian and Belgian cybersecurity agencies have issued alerts about this vulnerability due to Juniper devices' widespread use in critical infrastructure and frequent targeting by threat actors.

Organizations using affected Juniper products are strongly advised to upgrade to the patched versions immediately, even if their devices are connected to an upgraded Conductor, to ensure complete protection against this vulnerability.