Cyber Resilience

CVE-2025-21589

Critical

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0143 69.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-21589 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Juniper Networks Session (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-21589 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) affecting Juniper Networks Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Routers. The issue impacts versions from 5.6.7 before 5.6.17; from 6.0 before 6.0.8 (affected from 6.0.8); from 6.1 before 6.1.12-lts; from 6.2 before 6.2.8-lts; and from 6.3 before 6.3.3-r2 across all three products. Published on 2026-01-27, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

A network-based attacker with no privileges or user interaction can exploit this vulnerability to bypass authentication mechanisms and gain administrative control of the affected device. Successful exploitation provides high confidentiality, integrity, and availability impacts, potentially allowing full compromise of the router, conductor, or managed router.

Juniper's security advisory at https://kb.juniper.net/JSA94663 details the issue and recommends upgrading to fixed versions such as 5.6.17, 6.0.8, 6.1.12-lts, 6.2.8-lts, or 6.3.3-r2. Additional support resources include the end-of-life software page at https://support.juniper.net/support/eol/software/ssr/ and the support portal at https://supportportal.juniper.net/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router: * from 5.6.7…

more

before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects Session Smart Conductor: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects WAN Assurance Managed Routers: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass on network-exposed Juniper router/conductor directly enables remote exploitation of public-facing application for admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

Juniper
Networks Session
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Limits permitted actions without identification or authentication, directly countering the alternate path or channel used to bypass authentication and gain administrative control.

prevent

Enforces approved authorizations for access to system resources, preventing network-based attackers from bypassing authentication mechanisms via alternate paths.

prevent

Requires timely remediation of identified flaws, such as upgrading to fixed versions to eliminate the authentication bypass vulnerability.

References