Critical Vulnerability Affecting Juniper Devices

Published on 02 Jul 2024

Juniper has released security updates to address a critical vulnerability (CVE-2024-2973) in their smart router and conductor products. The vulnerability has a maximum CVSSv4 score of 10 out of 10.

The vulnerability affects Juniper Networks Session Smart Router or Conductor running with a redundant peer. Successful exploitation of the vulnerability could allow an unauthenticated attacker to bypass authentication and gain remote control of the device.

The vulnerability affects the following product versions:

Session Smart Router & Conductor:
  • All versions before 5.6.15
  • From 6.0 before 6.1.9-lts
  • From 6.2 before 6.2.5-sts
WAN Assurance Router:
  • 6.0 versions before 6.1.9-lts
  • 6.2 versions before 6.2.5-sts
Users and administrators of affected product versions are advised to update to the latest versions immediately.

More information is available here:
https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US
https://www.bleepingcomputer.com/news/security/juniper-releases-out-of-cycle-fix-for-max-severity-auth-bypass-flaw/