Introduction
Attackers can silently replace trusted firewall images in virtualized environments, setting the stage for widespread compromise without ever needing valid credentials. Juniper Networks Security Director Policy Enforcer, a core component for orchestrating security in VMware NSX deployments, is at the center of CVE-2025-11198—a missing authentication vulnerability that exposes critical infrastructure to remote, unauthenticated manipulation.
About the involved software: Juniper Networks is a leading global provider of networking and security solutions, with a product portfolio spanning routers, switches, firewalls, and management platforms. Security Director Policy Enforcer is a specialized orchestration tool that automates security policy deployment across hybrid and virtualized environments, including integration with VMware NSX for dynamic firewall provisioning. Its role in managing security at scale makes vulnerabilities in this platform particularly impactful for large enterprises and service providers.
Technical Information
CVE-2025-11198 arises from missing authentication checks on critical API endpoints within Security Director Policy Enforcer. Specifically, the APIs responsible for managing vSRX firewall images do not require any authentication, allowing any network-based attacker to upload or replace these images. The attacker does not need to compromise credentials or exploit a chain of vulnerabilities—simply sending crafted requests to the exposed API is sufficient.
The exploitation flow is as follows:
- The attacker, with network access to the Policy Enforcer management interface, uploads a malicious vSRX image via the unauthenticated API.
- This image is stored alongside legitimate images and is indistinguishable in the management interface.
- When a trusted administrator later initiates a deployment (such as provisioning new firewall instances in VMware NSX), the Policy Enforcer delivers the attacker's image to NSX for deployment.
- The malicious image is now running as a firewall in production, potentially with backdoors or altered inspection logic.
The root cause is a complete absence of authentication on the image management functions, a textbook case of CWE-306 (Missing Authentication for Critical Function). There are no credential checks, session validations, or authorization controls on these endpoints. This allows remote, unauthenticated exploitation with only network-level access to the management interface.
No code snippets or further implementation details are available in public sources at this time.
Affected Systems and Versions
- Product: Juniper Networks Security Director Policy Enforcer
- Affected versions: All versions prior to 23.1R1 Hotpatch v3
- Not affected: Junos Space Security Director Insights
- Vulnerable configuration: Any deployment where the Policy Enforcer management interface is accessible over the network
Vendor Security History
Juniper Networks has a robust product portfolio and is recognized for technical security features, particularly in the SRX Series firewalls. However, management platforms have seen recurring critical vulnerabilities, including authentication and resource management flaws. The vendor's response to CVE-2025-11198 was prompt, with a hotpatch released in the same bulletin cycle. Previous advisories, such as for CVE-2025-59975 (uncontrolled resource consumption in Junos Space), indicate ongoing attention to management interface security but also highlight the need for continued vigilance.
