Juniper Networks has released urgent security updates to fix a severe authentication bypass vulnerability in its Session Smart Router products. The flaw, identified as CVE-2025-21589, received a critical severity rating with a CVSS score of 9.8.
The security issue affects multiple Juniper products including Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Routers across various versions. If exploited, the vulnerability could allow malicious actors on the network to bypass authentication controls and gain complete administrative access to affected devices.
The company discovered this flaw during internal security testing and has released patches through versions SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and newer releases. While devices using WAN Assurance with Mist Cloud have received automatic patches, Juniper strongly recommends upgrading to a fixed version.
According to Juniper's security advisory, there are no known workarounds for this vulnerability. However, the company's Security Incident Response Team (SIRT) reports no evidence of active exploitation in the wild.
This latest security update follows a similar critical patch released by Juniper Networks in July 2024, which addressed another authentication bypass vulnerability (CVE-2024-2973) affecting routers in high-availability redundant configurations.
Network administrators are advised to update their Juniper devices to the latest patched versions to protect against potential security threats.