CVE-2025-52987
📋 TL;DR
A clickjacking vulnerability in Juniper Networks Paragon Automation web portal allows attackers to embed the interface in malicious frames and trick users into performing unintended actions. This affects all versions before 24.1.1 of Paragon Automation (Pathfinder, Planner, Insights). Users accessing the web portal are vulnerable to interface manipulation attacks.
💻 Affected Systems
- Juniper Networks Paragon Automation
- Paragon Pathfinder
- Paragon Planner
- Paragon Insights
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could trick authenticated users into performing administrative actions like configuration changes, user deletions, or data exports without their knowledge.
Likely Case
Attackers create convincing phishing pages that overlay malicious controls over legitimate interface elements, tricking users into clicking buttons that perform unintended actions.
If Mitigated
With proper X-Frame-Options headers, browsers prevent the interface from being embedded in frames, blocking clickjacking attempts.
🎯 Exploit Status
Clickjacking attacks are well-documented and easy to implement. Requires user interaction and the user must be logged into the vulnerable interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.1.1
Vendor Advisory: https://kb.juniper.net/JSA103145
Restart Required: Yes
Instructions:
1. Download Paragon Automation version 24.1.1 from Juniper support portal. 2. Backup current configuration. 3. Install the update following Juniper's upgrade documentation. 4. Restart Paragon Automation services.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allConfigure WAF to inject X-Frame-Options: DENY header to all Paragon Automation responses.
WAF-specific configuration - consult your WAF documentation for header injection rules
Reverse Proxy Configuration
linuxConfigure reverse proxy (nginx, Apache, etc.) to add X-Frame-Options header to responses.
nginx: add_header X-Frame-Options DENY;
Apache: Header always set X-Frame-Options DENY
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) with frame-ancestors directive to restrict framing
- Use browser extensions that detect and block clickjacking attempts for administrative users
🔍 How to Verify
Check if Vulnerable:
Use browser developer tools to check HTTP response headers for X-Frame-Options and X-Content-Type-Options headers. If missing or set to ALLOW-FROM, the system is vulnerable.Check Version:
Check Paragon Automation version in web interface under Administration > System Information or via CLI: show versionVerify Fix Applied:
After patching, verify HTTP responses include X-Frame-Options: DENY or SAMEORIGIN and X-Content-Type-Options: nosniff headers.📡 Detection & Monitoring
Log Indicators:
- Unusual user actions from unexpected locations
- Multiple failed login attempts followed by successful administrative actions
Network Indicators:
- HTTP requests with Referer headers pointing to suspicious domains
- IFRAME embedding of Paragon Automation URLs
SIEM Query:
source="paragon_logs" AND (action="admin_change" OR action="user_delete" OR action="config_modify") AND user_agent CONTAINS "suspicious"