Juniper Networks last week published an out-of-cycle security bulletin to inform customers about the availability of patches for a critical authentication bypass vulnerability affecting its Session Smart Router product.
Cybersecurity agencies in Italy and Belgium alerted organizations about the vulnerability on Monday.
The security hole, tracked as CVE-2025-21589, has been described by Juniper as an authentication bypass that involves an “alternate path or channel vulnerability”. It can allow a network-based attacker to take administrative control of the targeted device.
The vulnerability affects the software-based Session Smart Router, which powers Juniper’s SD-WAN solution, as well as Session Smart Conductor and WAN Assurance Managed Router. Versions 5.6.17, 6.1.12-lts, 6.2.8-lts, and 6.3.3-r2 for each of the impacted products patch the flaw.
Organizations using the affected products have been advised to update as soon as possible. The vendor noted, however, that the flaw has been automatically patched on some devices.
While CVE-2025-21589 is a critical issue, Juniper pointed out that it was discovered during internal product security testing and the company is not aware of malicious exploitation.
On the other hand, threat actors have been known to target Session Smart Routers. In December 2024, Juniper warned customers that Session Smart Routers that had been using default credentials were being ensnared into a Mirai-based botnet.
Related: Justice Department Sues to Block $14 Billion Juniper Buyout by Hewlett Packard Enterprise
Related: Juniper Networks Fixes High-Severity Vulnerabilities in Junos OS
Related: Juniper Networks Patches Dozens of Vulnerabilities
Related: Juniper Networks Warns of Critical Authentication Bypass Vulnerability
