CVE-2025-52950

Juniper Security Director: Insufficient authorization for multiple endpoints in web interface

Description

A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. Numerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level. An attacker can access data that is outside the user's authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices. This issue affects Security Director version 24.4.1.

Remediation

Solution:

  • The following software releases have been updated to resolve this specific issue: Juniper Security Director Software Bundle Update 24.4.1-1703, and all subsequent releases

Workaround:

  • Use access lists or firewall filters to limit access to the web interface only from trusted hosts.

Category

6.4
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
Vendor Advisory juniper.net
Affected: Juniper Networks Juniper Security Director
Published at:
Updated at:

References

Link Tags
https://supportportal.juniper.net/JSA100054 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-52950?
CVE-2025-52950 has been scored as a medium severity vulnerability.
How to fix CVE-2025-52950?
To fix CVE-2025-52950: The following software releases have been updated to resolve this specific issue: Juniper Security Director Software Bundle Update 24.4.1-1703, and all subsequent releases
Is CVE-2025-52950 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-52950 is being actively exploited.
What software or system is affected by CVE-2025-52950?
CVE-2025-52950 affects Juniper Networks Juniper Security Director.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.