Session Smart Router, Session Smart Conductor, WAN Assurance Router: API...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

An Authentication Bypass Using an
Alternate Path or Channel vulnerability in Juniper Networks Session Smart
Router may allows a network-based attacker to bypass authentication
and take administrative control of the device.

This issue affects Session Smart Router:

* from 5.6.7 before 5.6.17,
* from 6.0 before 6.0.8 (affected from 6.0.8),

* from 6.1 before 6.1.12-lts,
* from 6.2 before 6.2.8-lts,
* from 6.3 before 6.3.3-r2;

This issue affects Session Smart Conductor:

* from 5.6.7 before 5.6.17,
* from 6.0 before 6.0.8 (affected from 6.0.8),

* from 6.1 before 6.1.12-lts,
* from 6.2 before 6.2.8-lts,
* from 6.3 before 6.3.3-r2;

This issue affects WAN Assurance Managed Routers:

* from 5.6.7 before 5.6.17,
* from 6.0 before 6.0.8 (affected from 6.0.8),

* from 6.1 before 6.1.12-lts,
* from 6.2 before 6.2.8-lts,
* from 6.3 before 6.3.3-r2.

Basic Information

ID CVE-2025-21589

Source juniper

Published Jan 27, 2026 at 20:32

Modified Jan 27, 2026 at 21:28

Affected Product

Vendor Juniper Networks

Product Session Smart Router

Version 5.6.7

Affected Versions Juniper Networks Session Smart Router 5.6.7
Juniper Networks Session Smart Router 6.1
Juniper Networks Session Smart Router 6.2
Juniper Networks Session Smart Router 6.3
Juniper Networks Session Smart Conductor 5.6.7
Juniper Networks Session Smart Conductor 6.1
Juniper Networks Session Smart Conductor 6.2
Juniper Networks Session Smart Conductor 6.3
Juniper Networks WAN Assurance Managed Router 5.6.7
Juniper Networks WAN Assurance Managed Router 6.1
Juniper Networks WAN Assurance Managed Router 6.2
Juniper Networks WAN Assurance Managed Router 6.3

CWE Classification

CWE-288

References

{
    "lastseen": "",
    "description": "An Authentication Bypass Using an\nAlternate Path or Channel vulnerability in Juniper Networks Session Smart\nRouter may allows a network-based attacker to bypass authentication\nand take administrative control of the device.\n\nThis issue affects Session Smart Router:\u00a0\n\n\n\n  *  from 5.6.7 before 5.6.17,\u00a0\n  *  from 6.0 before 6.0.8 (affected from 6.0.8),\n\n  *  from 6.1 before 6.1.12-lts,\u00a0\n  *  from 6.2 before 6.2.8-lts,\u00a0\n  *  from 6.3 before 6.3.3-r2;\u00a0\n\n\n\n\nThis issue affects Session Smart Conductor:\u00a0\n\n\n\n  *  from 5.6.7 before 5.6.17,\u00a0\n  *  from 6.0 before 6.0.8 (affected from 6.0.8),\n\n  *  from 6.1 before 6.1.12-lts,\u00a0\n  *  from 6.2 before 6.2.8-lts,\u00a0\n  *  from 6.3 before 6.3.3-r2;\u00a0\n\n\n\n\nThis issue affects WAN Assurance Managed Routers:\u00a0\n\n\n\n  *  from 5.6.7 before 5.6.17,\u00a0\n  *  from 6.0 before 6.0.8 (affected from 6.0.8),\n\n  *  from 6.1 before 6.1.12-lts,\u00a0\n  *  from 6.2 before 6.2.8-lts,\u00a0\n  *  from 6.3 before 6.3.3-r2.",
    "published": "2026-01-27T20:32:13.334Z",
    "modified": "2026-01-27T21:28:02.560Z",
    "type": "cve",
    "title": "Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass vulnerability",
    "source": "juniper",
    "references": "https://supportportal.juniper.net/\nhttps://support.juniper.net/support/eol/software/ssr/\nhttps://kb.juniper.net/JSA94663",
    "id": "CVE-2025-21589",
    "bulletinFamily": "",
    "cwe": [
        "CWE-288"
    ],
    "cvelist": null,
    "sourceData": "Juniper Networks Session Smart Router 5.6.7\nJuniper Networks Session Smart Router 6.1\nJuniper Networks Session Smart Router 6.2\nJuniper Networks Session Smart Router 6.3\nJuniper Networks Session Smart Conductor 5.6.7\nJuniper Networks Session Smart Conductor 6.1\nJuniper Networks Session Smart Conductor 6.2\nJuniper Networks Session Smart Conductor 6.3\nJuniper Networks WAN Assurance Managed Router 5.6.7\nJuniper Networks WAN Assurance Managed Router 6.1\nJuniper Networks WAN Assurance Managed Router 6.2\nJuniper Networks WAN Assurance Managed Router 6.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Session Smart Router",
    "version": "5.6.7",
    "vendor": "Juniper Networks",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass vulnerability_CVE-2025-21589