CVE-2025-11198
📋 TL;DR
An unauthenticated attacker can replace legitimate vSRX images with malicious ones in Juniper Security Director Policy Enforcer. This allows network-based attackers to compromise virtual security appliances when deployments are initiated by trusted users. Only Security Director Policy Enforcer versions before 23.1R1 Hotpatch v3 are affected.
💻 Affected Systems
- Juniper Networks Security Director Policy Enforcer
📦 What is this software?
Security Director Policy Enforcer by Juniper
Security Director Policy Enforcer by Juniper
Security Director Policy Enforcer by Juniper
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of vSRX security appliances leading to network infiltration, data exfiltration, and persistent backdoor access across the virtual infrastructure.
Likely Case
Attackers deploy malicious vSRX images that bypass security controls, intercept traffic, or establish footholds in the network.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent unauthenticated access to the Policy Enforcer.
🎯 Exploit Status
Exploitation requires network access to the Policy Enforcer and a trusted user to trigger deployment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.1R1 Hotpatch v3 or later
Vendor Advisory: https://supportportal.juniper.net/JSA103437
Restart Required: Yes
Instructions:
1. Download patch from Juniper support portal. 2. Backup current configuration. 3. Apply patch following Juniper's upgrade procedures. 4. Restart affected services.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Security Director Policy Enforcer to authorized management networks only.
Deployment Approval Workflow
allImplement manual approval process for all vSRX image deployments with verification of image integrity.
🧯 If You Can't Patch
- Isolate Security Director Policy Enforcer on dedicated management VLAN with strict access controls.
- Implement network monitoring for unauthorized image upload attempts and deployment activities.
🔍 How to Verify
Check if Vulnerable:
Check Security Director Policy Enforcer version via web interface or CLI. If version is earlier than 23.1R1 Hotpatch v3, system is vulnerable.Check Version:
show version (via CLI) or check About section in web interfaceVerify Fix Applied:
Verify version is 23.1R1 Hotpatch v3 or later and test that unauthenticated image upload attempts are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated image upload attempts
- Unexpected vSRX image deployment events
- Failed authentication attempts to Policy Enforcer
Network Indicators:
- Unusual traffic to Policy Enforcer from unauthorized sources
- Image uploads from unexpected IP addresses
SIEM Query:
source="security_director" AND (event="image_upload" OR event="deployment_initiated") AND user="anonymous"