CVE-2025-21589 Splunk · SPL

Detect Juniper Session Smart Router Authentication Bypass in Splunk

CVE-2025-21589 is a critical (CVSS 9.8) authentication bypass vulnerability in Juniper Networks Session Smart Router (formerly 128T), Session Smart Conductor, and WAN Assurance Managed Routers. An unauthenticated network attacker can bypass authentication via an alternate path or channel to take full administrative control of affected devices. Affected versions span 5.6.7 through 6.3.x prior to their respective fixed releases (5.6.17, 6.0.8, 6.1.12-lts, 6.2.8-lts, 6.3.3-r2). Successful exploitation gives the attacker administrative access to manage routing, tunnels, and network policy across the SD-WAN fabric — a ransomware precursor and lateral movement enabler in environments where Juniper SSR provides WAN connectivity for branch offices.

MITRE ATT&CK

Tactic
Initial Access

SPL Detection Query

Splunk (SPL)
spl 
index=network sourcetype IN ("juniper:junos", "juniper:structured", "cisco:asa", "pan:traffic", "fortigate:traffic")
(
  (dest_port IN (443, 830, 22, 8080))
  AND (
    (vendor="Juniper" OR product IN ("SSR", "128T", "session-smart-router", "vSmart", "Conductor"))
    OR (uri_path IN ("/api/v1", "/api/v2", "/netconf", "/conductor/api"))
  )
)
| eval suspicious=if(
    match(action, "(?i)(bypass|unauthorized|fail|reject)") OR
    match(app, "(?i)(netconf|rest-api|web-mgmt)"),
    "true", "false"
  )
| stats count AS LoginAttempts,
        dc(src_ip) AS UniqueSourceIPs,
        values(src_ip) AS SourceIPs,
        values(dest_port) AS Ports,
        values(uri_path) AS Paths,
        values(action) AS Actions
  BY dest_ip, _time span=1h
| where LoginAttempts > 5 OR UniqueSourceIPs > 3
| eval CVE="CVE-2025-21589"
| eval Severity="CRITICAL"
| table _time, dest_ip, SourceIPs, Ports, Paths, Actions, LoginAttempts, UniqueSourceIPs, CVE, Severity
| sort - LoginAttempts
critical severity medium confidence

Detects potential exploitation of CVE-2025-21589 by monitoring network flows and Juniper syslog for repeated or anomalous authentication attempts against SSR management ports. Aggregates by destination IP (SSR device) and flags when multiple source IPs or high attempt counts target the device management interface.

Data Sources

Juniper JUNOS syslogFirewall traffic logs (Palo Alto, FortiGate, Cisco ASA)Network flow data

Required Sourcetypes

juniper:junospan:trafficcisco:asa

False Positives & Tuning

  • Network management systems (Juniper Mist, NSO) making frequent API calls to SSR devices for configuration synchronisation
  • Monitoring platforms polling the REST API at high frequency
  • Security vulnerability scanners probing management ports during authorised scans
Download portable Sigma rule (.yml)

Other platforms for CVE-2025-21589

Microsoft Sentinel (KQL) Elastic Security (Elastic) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NETCONF authentication attempt to SSR device

    Expected signal: SSH connection event to port 830, followed by successful NETCONF session establishment without credential prompt if device is vulnerable.

Last updated: 2026-04-22 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-21589 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1190Exploit Public-Facing Application

Related Techniques

T1190Exploit Public-Facing ApplicationT1098Account ManipulationT1565.002Transmitted Data ManipulationT1133External Remote ServicesT1021.004SSH

Same Tactic: Initial Access

Popular Detections