Juniper Security Director: Attackers can bypass security mechanism

Several products from network equipment manufacturer Juniper are vulnerable. If attacks are successful, attackers can install manipulated images or embed backdoors in switches, for example. Security patches are available for download.

Juniper lists the affected products in the support portal. Network admins can also find information on the patches there. As a list is beyond the scope of this report, the warning messages are linked below this article. So far, there are no indications of ongoing attacks. It is also unclear at this stage how admins can recognize instances that have already been successfully attacked.

Various dangers

The most dangerous is a vulnerability (CVE-2025-59968 "high") in the Juniper Security Director security solution, which is supposed to protect networks. Due to a lack of authorization, attackers can modify metadata via the web interface. This can lead to network data traffic that is actually blocked getting through.

A security vulnerability (CVE-2025-60004 "high") in Junos OS Evolved can lead to DoS states. According to the description, no authentication is required for attackers. Further DoS vulnerabilities (CVE-2025-59964 "high", CVE-2025-59975 "high") affect Junos OS and Junos Space.

Due to authentication errors, attackers can manipulate and upload vSRX images in the context of Security Director Policy Enforcer (CVE-2025-11198 "high"). The remaining vulnerabilities are categorised as "medium" threat level. They primarily impact Junos OS and attackers can use them to install backdoors, among other things.

Listing sorted by threat level in descending order:

• Juniper Security Director: Insufficient authorisation for sensitive resources in web interface (CVE-2025-59968)
• Junos OS and Junos OS Evolved: Specific BGP EVPN update message causes rpd crash (CVE-2025-60004)
• Junos OS: SRX4700: When forwarding-options sampling is enabled any traffic destined to the RE will cause the forwarding line card to crash and restart (CVE-2025-59964)
• Junos Space: Flooding device with inbound API calls leads to WebUI and CLI management access DoS (CVE-2025-59975)
• Security Director Policy Enforcer: An unrestricted API allows a network-based unauthenticated attacker to deploy malicious vSRX images to VMWare NSX Server (CVE-2025-11198)
• Junos OS: EX4600 Series and QFX5000 Series: An attacker with physical access can open a persistent backdoor (CVE-2025-59957)
• Junos OS Evolved: ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509: When specific valid multicast traffic is received on the L3 interface on a vulnerable device evo-pfemand crashes and restarts (CVE-2025-59967)
• Junos OS Evolved: PTX Series: When firewall filter rejects traffic these packets are erroneously sent to the RE (CVE-2025-59958)
•  Junos OS: When a user with the name ftp or anonymous is configured unauthenticated filesystem access is allowed (CVE-2025-59980)
• Junos OS Evolved: PTX Series except PTX10003: An unauthenticated adjacent attacker sending specific valid traffic can cause a memory leak in cfmman leading to FPC crash and restart (CVE-2025-52961)
• Junos OS: SRX Series and MX Series: Receipt of specific SIP packets in a high utilisation situation causes a flowd crash (CVE-2025-52960)
• Junos OS and Junos OS Evolved: Device allows login for user with expired password (CVE-2025-60010)
• Junos OS and Junos OS Evolved: With BGP sharding enabled, change in indirect next-hop can cause RPD crash (CVE-2025-59962)
• Junos OS Evolved: Multiple OS command injection vulnerabilities fixed (CVE-2025-60006)

(des)