CVE-2025-21589

Juniper Session Smart Router Authentication Bypass

CVE-2025-21589 is a critical (CVSS 9.8) authentication bypass vulnerability in Juniper Networks Session Smart Router (formerly 128T), Session Smart Conductor, and WAN Assurance Managed Routers. An unauthenticated network attacker can bypass authentication via an alternate path or channel to take full administrative control of affected devices. Affected versions span 5.6.7 through 6.3.x prior to their respective fixed releases (5.6.17, 6.0.8, 6.1.12-lts, 6.2.8-lts, 6.3.3-r2). Successful exploitation gives the attacker administrative access to manage routing, tunnels, and network policy across the SD-WAN fabric — a ransomware precursor and lateral movement enabler in environments where Juniper SSR provides WAN connectivity for branch offices.

Microsoft Sentinel / Defender

kusto

// CVE-2025-21589 — Juniper Session Smart Router Auth Bypass
// Detect unauthenticated administrative access attempts or successful logins
// to Juniper SSR management interfaces (REST API port 443, NETCONF 830)
// via network flow logs, firewall logs, and proxy logs
let JuniperMgmtPorts = dynamic([443, 830, 22, 8080]);
let AuthBypassPatterns = dynamic([
  "/api/v1/", "/api/v2/", "/login", "/auth",
  "/netconf", "/rest", "/conductor"
]);
// Alert 1: Suspicious auth events on known Juniper SSR management IPs
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ("Juniper", "128T")
    or Activity has_any ("authentication", "login", "session")
| where DestinationPort in (JuniperMgmtPorts)
| where Message has_any ("bypass", "unauthorized", "unauthenticated", "admin", "privilege")
    or Activity has_any ("AUTH_BYPASS", "LOGIN_SUCCESS", "PRIVILEGE_ESCALATION")
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort,
    DeviceVendor, Activity, Message, AdditionalExtensions
| extend ThreatIndicator = "CVE-2025-21589-Juniper-SSR-AuthBypass"
| sort by TimeGenerated desc

critical severity medium confidence

Data Sources

CommonSecurityLog Network flows (Azure NSG / firewall logs) Juniper JUNOS syslog

Required Tables

CommonSecurityLog AzureNetworkAnalytics_CL

False Positives

Legitimate administrative logins to Juniper SSR management interface by network engineers
Scheduled health checks or monitoring probes polling the REST API on port 443
NETCONF-based configuration management from authorised orchestration systems (NSO, Ansible)

Last updated: 2026-04-22 Research depth: standard

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2025-21589 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Juniper Session Smart Router Authentication Bypass

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Initial Access

Popular Detections