CVE-2025-52983

Summary

A UI Discrepancy for Security Feature

vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device.

On VM Host Routing Engines (RE), even if the configured public key for root has been removed, remote users which are in possession of the corresponding private key can still log in as root. This issue affects Junos OS:

  • all versions before 22.2R3-S7,
  • 22.4 versions before 22.4R3-S5,
  • 23.2 versions before 23.2R2-S3,
  • 23.4 versions before 23.4R2-S3,
  • 24.2 versions before 24.2R1-S2, 24.2R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 22.2R3-S7affected
Juniper NetworksJunos OS22.4 < 22.4R3-S5affected
Juniper NetworksJunos OS23.2 < 23.2R2-S3affected
Juniper NetworksJunos OS23.4 < 23.4R2-S3affected
Juniper NetworksJunos OS24.2 < 24.2R1-S2, 24.2R2affected

Weaknesses

  • CWE-446: CWE-446 UI Discrepancy for Security Feature

Workarounds

To prevent this issue from being ocuring, public key authentication for root can be explicitly disabled with:

[

system root-authentication no-public-keys

]

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References