CRITICAL🇵🇱 Wersja polska

CVE-2024-2973

CVSS 10.0v4.0pub. 2024-06-27upd. 2026-04-15

An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device. Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue affects: Session Smart Router:  * All versions before 5.6.15,  * from 6.0 before 6.1.9-lts,  * from 6.2 before 6.2.5-sts. Session Smart Conductor:  * All versions before 5.6.15,  * from 6.0 before 6.1.9-lts,  * from 6.2 before 6.2.5-sts.  WAN Assurance Router:  * 6.0 versions before 6.1.9-lts,  * 6.2 versions before 6.2.5-sts.

🤖 AI Analysis
How it works

The attacker exploits an alternate path or channel that does not require authentication, thereby bypassing standard access control mechanisms. The vulnerability is accessible remotely over the network without requiring any privileges or user interaction. The redundancy mechanism used in high-availability configurations creates an additional attack surface that is not adequately protected by authentication mechanisms.

Impact

The attacker gains full control over the vulnerable device, which includes the ability to modify configuration, intercept network traffic, and perform further lateral movement in the infrastructure. The compromise affects confidentiality, integrity, and availability of the system and related systems.

Mitigation & patch

Software must be updated to the following versions: Session Smart Router and Session Smart Conductor — 5.6.15 or later, 6.1.9-lts or later (6.0/6.1 branch), 6.2.5-sts or later (6.2 branch); WAN Assurance Router — 6.1.9-lts or later, 6.2.5-sts or later. Details are available in the vendor advisory JSA83126. Devices not in high-availability configuration are not vulnerable.

Who is affected

Juniper Networks Session Smart Router: all versions before 5.6.15, versions 6.0 before 6.1.9-lts, versions 6.2 before 6.2.5-sts. Juniper Networks Session Smart Conductor: all versions before 5.6.15, versions 6.0 before 6.1.9-lts, versions 6.2 before 6.2.5-sts. Juniper Networks WAN Assurance Router: versions 6.0 before 6.1.9-lts, versions 6.2 before 6.2.5-sts. The vulnerability affects only devices operating in high-availability configuration with redundant peers.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:C/RE:M/U:Red
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References