CVE-2025-6549

Summary

An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the

Juniper Web Device Manager

(J-Web).

When Juniper Secure connect (JSC) is enabled on specific interfaces, or multiple interfaces are configured for J-Web, the J-Web UI is reachable over more than the intended interfaces. This issue affects Junos OS:

  • all versions before 21.4R3-S9,
  • 22.2 versions before 22.2R3-S5,
  • 22.4 versions before 22.4R3-S5,
  • 23.2 versions before 23.2R2-S3,
  • 23.4 versions before 23.4R2-S5,
  • 24.2 versions before 24.2R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 21.4R3-S9affected
Juniper NetworksJunos OS22.2 < 22.2R3-S5affected
Juniper NetworksJunos OS22.4 < 22.4R3-S5affected
Juniper NetworksJunos OS23.2 < 23.2R2-S3affected
Juniper NetworksJunos OS23.4 < 23.4R2-S5affected
Juniper NetworksJunos OS24.2 < 24.2R2affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

Workarounds

To reduce the risk of exploitation configure a firewall filter on all ingress interfaces over which J-Web is not meant to be reachable or ensure that the resp. security policies don't allow such connections.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References