Skip to main content
CVE Vulnerability Database

CVE-2025-6549: Juniper Junos Auth Bypass Vulnerability

CVE-2025-6549 is an authentication bypass vulnerability in Juniper Junos OS on SRX Series that exposes J-Web UI to unauthorized network access. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2025-6549 Overview

CVE-2025-6549 is an Incorrect Authorization vulnerability [CWE-863] in the web server component of Juniper Networks Junos OS running on SRX Series firewalls. The flaw allows an unauthenticated, network-based attacker to reach the Juniper Web Device Manager (J-Web) interface over unintended network interfaces. The condition arises when Juniper Secure Connect (JSC) is enabled on specific interfaces, or when multiple interfaces are configured for J-Web. As a result, the J-Web UI becomes reachable beyond the intended administrative boundary, exposing an administrative surface to networks that should not have access.

Critical Impact

Unauthenticated network attackers can access the J-Web management interface on interfaces that administrators did not intend to expose, expanding the attack surface of SRX firewalls.

Affected Products

  • Juniper Junos OS on SRX Series: all versions before 21.4R3-S9
  • Juniper Junos OS on SRX Series: 22.2 versions before 22.2R3-S5, 22.4 versions before 22.4R3-S5, 23.2 versions before 23.2R2-S3
  • Juniper Junos OS on SRX Series: 23.4 versions before 23.4R2-S5, 24.2 versions before 24.2R2 (SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800)

Discovery Timeline

  • 2025-07-11 - CVE-2025-6549 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6549

Vulnerability Analysis

The vulnerability resides in the interface-binding logic of the Junos OS web server that serves the J-Web management UI on SRX Series devices. J-Web is intended to be reachable only on the interfaces explicitly configured for management access. Under specific configuration conditions, that binding is not enforced correctly, and the web server begins accepting connections on additional interfaces. An attacker who can route packets to any such unintended interface can request the J-Web login page and interact with the management surface without prior authentication. This broadens exposure on devices that face untrusted networks, including internet-facing SRX firewalls where administrators expected J-Web to be restricted to internal management VLANs.

Root Cause

The root cause is an authorization decision at the network layer that fails when Juniper Secure Connect (JSC) is enabled on specific interfaces, or when J-Web is configured across multiple interfaces. The interface access control does not correctly restrict which interfaces expose the J-Web listener, resulting in the incorrect authorization condition described by [CWE-863].

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends HTTP or HTTPS requests to the IP address of an SRX interface that inadvertently exposes J-Web. If the device configuration matches the vulnerable conditions, the J-Web UI responds and can be interacted with as if it were an intended management interface. No exploit code was published in the enriched data, and the vulnerability has not been reported as exploited in the wild.

No verified proof-of-concept code is available. Refer to the Juniper Security Advisory JSA100098 for authoritative technical details.

Detection Methods for CVE-2025-6549

Indicators of Compromise

  • HTTP or HTTPS requests to the J-Web login path (for example, /, /login, /dashboard) arriving on SRX interfaces that are not designated for management access.
  • Successful TCP handshakes on ports 80 and 443 from untrusted network segments toward SRX interfaces where JSC is enabled.
  • Unexpected J-Web session activity in messages or httpd logs sourced from external or user-segment IP ranges.

Detection Strategies

  • Audit each SRX firewall configuration for system services web-management stanzas and cross-reference the bound interfaces against the intended management plane.
  • Enumerate interfaces where Juniper Secure Connect is enabled and confirm whether the J-Web listener is exposed on them using external port scanning from adjacent segments.
  • Correlate firewall logs for J-Web access attempts originating outside the approved management network and flag them for review.

Monitoring Recommendations

  • Continuously monitor for inbound connections to TCP 80 and 443 on SRX data-plane interfaces and alert on any J-Web responses.
  • Forward Junos httpd and authentication logs to a central log platform and build rules for unauthenticated access to J-Web from non-management sources.
  • Track configuration drift on SRX devices so that changes to web-management or JSC interface bindings trigger a security review.

How to Mitigate CVE-2025-6549

Immediate Actions Required

  • Upgrade Junos OS on SRX Series to a fixed release: 21.4R3-S9, 22.2R3-S5, 22.4R3-S5, 23.2R2-S3, 23.4R2-S5, 24.2R2, or later.
  • Restrict J-Web access using firewall filters on the loopback and transit interfaces so that only trusted management subnets can reach TCP 80 and 443.
  • Disable J-Web entirely on any SRX device where the CLI or NETCONF is sufficient for administration.

Patch Information

Juniper Networks addressed CVE-2025-6549 in the fixed releases listed above. Full remediation guidance and version mapping are provided in the Juniper Security Advisory JSA100098.

Workarounds

  • Apply a firewall filter on the loopback interface lo0.0 that permits HTTP and HTTPS only from designated management prefixes and discards all other traffic to those ports.
  • Where Juniper Secure Connect is not required, disable JSC on interfaces that face untrusted networks to remove the trigger condition.
  • Limit system services web-management http and https bindings to a single, dedicated management interface rather than multiple interfaces.
bash
# Configuration example: restrict J-Web to a trusted management prefix
set firewall family inet filter PROTECT-REs term ALLOW-JWEB from source-address 10.10.0.0/24
set firewall family inet filter PROTECT-REs term ALLOW-JWEB from destination-port [ 80 443 ]
set firewall family inet filter PROTECT-REs term ALLOW-JWEB then accept
set firewall family inet filter PROTECT-REs term DENY-JWEB from destination-port [ 80 443 ]
set firewall family inet filter PROTECT-REs term DENY-JWEB then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-REs
commit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.