title: Juniper Session Smart Router Authentication Bypass (CVE-2025-21589)
id: df00tech-cve-2025-21589
status: experimental
description: "CVE-2025-21589 is a critical (CVSS 9.8) authentication bypass vulnerability in Juniper Networks Session Smart Router (formerly 128T), Session Smart Conductor, and WAN Assurance Managed Routers. An unauthenticated network attacker can bypass authentication via an alternate path or channel to take full administrative control of affected devices. Affected versions span 5.6.7 through 6.3.x prior to their respective fixed releases (5.6.17, 6.0.8, 6.1.12-lts, 6.2.8-lts, 6.3.3-r2). Successful exploitation gives the attacker administrative access to manage routing, tunnels, and network policy across the SD-WAN fabric — a ransomware precursor and lateral movement enabler in environments where Juniper SSR provides WAN connectivity for branch offices."
references:
  - https://attack.mitre.org/techniques/CVE-2025-21589/
  - https://df00tech.com/detections/CVE-2025-21589
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2025-21589
  - cve.2025-21589
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate administrative logins to Juniper SSR management interface by network engineers
  - Scheduled health checks or monitoring probes polling the REST API on port 443
  - "NETCONF-based configuration management from authorised orchestration systems (NSO, Ansible)"
level: critical