Juniper Security Director Policy Enforcer CVE-2025-11198: Brief Summary of Missing Authentication for Critical Function

A brief summary of CVE-2025-11198, a missing authentication vulnerability in Juniper Networks Security Director Policy Enforcer that allows unauthenticated attackers to replace vSRX images with malicious ones in VMware NSX environments. Includes affected versions, technical mechanism, and references.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-09

Juniper Security Director Policy Enforcer CVE-2025-11198: Brief Summary of Missing Authentication for Critical Function
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can silently replace trusted firewall images in virtualized environments, setting the stage for widespread compromise without ever needing valid credentials. Juniper Networks Security Director Policy Enforcer, a core component for orchestrating security in VMware NSX deployments, is at the center of CVE-2025-11198—a missing authentication vulnerability that exposes critical infrastructure to remote, unauthenticated manipulation.

About the involved software: Juniper Networks is a leading global provider of networking and security solutions, with a product portfolio spanning routers, switches, firewalls, and management platforms. Security Director Policy Enforcer is a specialized orchestration tool that automates security policy deployment across hybrid and virtualized environments, including integration with VMware NSX for dynamic firewall provisioning. Its role in managing security at scale makes vulnerabilities in this platform particularly impactful for large enterprises and service providers.

Technical Information

CVE-2025-11198 arises from missing authentication checks on critical API endpoints within Security Director Policy Enforcer. Specifically, the APIs responsible for managing vSRX firewall images do not require any authentication, allowing any network-based attacker to upload or replace these images. The attacker does not need to compromise credentials or exploit a chain of vulnerabilities—simply sending crafted requests to the exposed API is sufficient.

The exploitation flow is as follows:

  • The attacker, with network access to the Policy Enforcer management interface, uploads a malicious vSRX image via the unauthenticated API.
  • This image is stored alongside legitimate images and is indistinguishable in the management interface.
  • When a trusted administrator later initiates a deployment (such as provisioning new firewall instances in VMware NSX), the Policy Enforcer delivers the attacker's image to NSX for deployment.
  • The malicious image is now running as a firewall in production, potentially with backdoors or altered inspection logic.

The root cause is a complete absence of authentication on the image management functions, a textbook case of CWE-306 (Missing Authentication for Critical Function). There are no credential checks, session validations, or authorization controls on these endpoints. This allows remote, unauthenticated exploitation with only network-level access to the management interface.

No code snippets or further implementation details are available in public sources at this time.

Affected Systems and Versions

  • Product: Juniper Networks Security Director Policy Enforcer
  • Affected versions: All versions prior to 23.1R1 Hotpatch v3
  • Not affected: Junos Space Security Director Insights
  • Vulnerable configuration: Any deployment where the Policy Enforcer management interface is accessible over the network

Vendor Security History

Juniper Networks has a robust product portfolio and is recognized for technical security features, particularly in the SRX Series firewalls. However, management platforms have seen recurring critical vulnerabilities, including authentication and resource management flaws. The vendor's response to CVE-2025-11198 was prompt, with a hotpatch released in the same bulletin cycle. Previous advisories, such as for CVE-2025-59975 (uncontrolled resource consumption in Junos Space), indicate ongoing attention to management interface security but also highlight the need for continued vigilance.

References

Detect & fix
what others miss