CVE-2025-11198 — Missing Authentication for Critical Function in Networks Security Director Policy Enforcer

CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

8.5HIGHNVD

EPSS

0.0%

top 88.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Networks Security Director Policy Enforcer Juniper Security Director Policy Enforcer Juniper Junos OS +2 more

Timeline

PublishedOct 9

Description

A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones. If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker's uploaded image to VMware NSX instead of a legitimate one. This issue affects Security Director Policy Enforcer: * All versions before 23.1R1 Hotpatch v3. This issue does …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Affected Packages5 packages

▶CVEListV5juniper_networks/security_director_policy_enforcer< 23.1R1 Hotpatch v3

▶NVDjuniper/security_director_policy_enforcer< 23.1+1

▶juniperjuniper/junos_space

▶juniperjuniper/junos_os

▶juniperjuniper/srx_series

🔴Vulnerability Details

GHSA

GHSA-r277-62xf-9v4g: A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-↗2025-10-09

▶

📋Vendor Advisories

Juniper

CVE-2025-11198: A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-↗2025-10-09

▶