Juniper Networks has identified a critical vulnerability in its Session Smart Routers, which could allow unauthorized access to the devices. The flaw, designated as CVE-2025-21589, received a severity score of 9.8 out of 10, indicating its potential for significant impact.
This vulnerability affects several versions of the Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router. Specifically, the impacted versions include:
- Session Smart Router: from 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, from 6.3 before 6.3.3-r2;
- Session Smart Conductor: from 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, from 6.3 before 6.3.3-r2;
- WAN Assurance Managed Routers: from 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, from 6.3 before 6.3.3-r2.
Juniper has emphasized that there are no workarounds for this issue. The only solution is to apply the available patches: SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and subsequent releases. In deployments managed by the Conductor, upgrading the Conductor nodes will automatically apply the fix to all connected routers, although it is still recommended to update the routers themselves.
Devices operating with WAN Assurance connected to the Mist Cloud will receive automatic updates. As of now, there is no evidence that this vulnerability has been exploited in the wild.
For more details, visit the original article on TechRadar.