CVE-2025-6549

MEDIUM

Juniper Networks Junos OS - Auth Bypass

Title source: llm

Description

An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the Juniper Web Device Manager (J-Web). When Juniper Secure connect (JSC) is enabled on specific interfaces, or multiple interfaces are configured for J-Web, the J-Web UI is reachable over more than the intended interfaces. This issue affects Junos OS: * all versions before 21.4R3-S9, * 22.2 versions before 22.2R3-S5, * 22.4 versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://supportportal.juniper.net/JSA100098

Scores

CVSS v3 6.5

EPSS 0.0023

EPSS Percentile 45.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (5)

juniper/junos 21.4 (16 CPE variants)

juniper/junos 22.2 (12 CPE variants)

juniper/junos 22.4 (12 CPE variants)

juniper/junos 23.2 (7 CPE variants)

juniper/junos 23.4 (3 CPE variants)

Published Jul 11, 2025

Tracked Since Feb 18, 2026