Introduction
A missing SSH host key validation step in Juniper Networks Apstra means that every outbound SSH session from the automation platform to a managed network device could be silently intercepted, giving an attacker the ability to impersonate infrastructure and harvest credentials. For organizations running Apstra to automate data center networks, this flaw (scored CVSS 8.7) turns the management plane itself into a liability.
Juniper Apstra is a data center network automation platform that enables network architects to design, validate, and manage network infrastructure at scale. Now part of Hewlett Packard Enterprise following Juniper's integration, Apstra occupies a significant role in intent based networking for enterprise and service provider data centers. A vulnerability in this platform's SSH implementation has direct implications for the integrity of the entire managed device fleet.
Technical Information
Root Cause
CVE-2025-13914 is classified under CWE-322: Key Exchange without Entity Authentication. The core issue is that Apstra's SSH client, when initiating outbound connections to managed devices, did not adequately verify the identity of the remote host during the SSH key exchange process. In practical terms, the Apstra server would establish SSH sessions without confirming host keys against a known or trusted set of values. This is a fundamental violation of the SSH protocol's security model, where host key verification is the mechanism that prevents impersonation of the remote endpoint.
CVSS Breakdown
The CVSS v3.1 vector string for this vulnerability is:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable over the network |
| Attack Complexity | High | Requires on path (MITM) positioning |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Changed | Impact extends beyond the vulnerable component |
| Confidentiality | High | Credential capture is possible |
| Integrity | High | Device impersonation undermines trust |
| Availability | None | No direct availability impact |
The "Changed" scope is notable here. While the vulnerable component is the Apstra server's SSH client, successful exploitation impacts the managed devices and the credentials used to access them, extending the blast radius beyond Apstra itself.
Attack Flow
Exploitation of this vulnerability follows a specific sequence:
-
Positioning: The attacker must first establish a machine in the middle position on the network path between the Apstra server and one or more managed devices. This could be achieved through ARP spoofing, BGP hijacking, compromising an intermediate network device, or physical access to the network segment carrying management traffic.
-
Interception: Once positioned, the attacker intercepts an outbound SSH connection initiated by the Apstra server toward a managed device. Because Apstra does not validate the host key presented during the SSH handshake, the attacker can present their own key without triggering any rejection or warning.
-
Impersonation: The attacker completes the SSH handshake with the Apstra server, effectively impersonating the managed device. From Apstra's perspective, the session appears legitimate.
-
Credential Capture: During the authentication phase of the SSH session, the Apstra server transmits credentials (used to authenticate to the managed device). The attacker captures these credentials in cleartext within the established SSH tunnel, since the tunnel terminates at the attacker's system rather than the legitimate device.
-
Lateral Movement Potential: With captured credentials, the attacker can then directly authenticate to managed devices, potentially gaining administrative control over network infrastructure.
The attack complexity is rated High because achieving the on path position is a prerequisite, but once that position is obtained, no further privileges or user interaction are needed. The absence of host key validation means there is no cryptographic barrier to the impersonation once the network position is established.
Vulnerable Flow
The specific vulnerable flow is outbound SSH from the Apstra server to managed devices. This is the control channel through which Apstra pushes configuration, collects telemetry, and manages the lifecycle of network devices. Compromising this channel gives an attacker visibility into and control over the automation platform's interactions with the entire managed fleet.
Patch Information
Juniper Networks has resolved CVE-2025-13914 in Apstra version 6.1.1 and all subsequent releases. The fix, tracked internally under issue AOS-56131, introduces proper SSH host key validation for connections from the Apstra server to managed network devices.
Prior to version 6.1.1, Apstra's SSH implementation would silently proceed with the key exchange even when presented with an unknown or spoofed host key. The fix ensures that the Apstra server now validates SSH host keys before completing the key exchange and establishing a session. If an attacker attempts to intercept the SSH handshake and present a fraudulent host key, the connection will be rejected rather than silently proceeding.
Key facts about the remediation:
- All versions of Apstra prior to 6.1.1 are affected, starting from the very first release (version 0).
- There are no workarounds available for this issue. The upgrade to 6.1.1 or later is the sole remediation path.
- Juniper's advisory (JSA107862) was published on April 8, 2026.
- At the time of disclosure, Juniper confirmed no known malicious exploitation of this vulnerability in the wild.
Organizations should freeze deployments on older versions and fast track upgrade approvals for Apstra 6.1.1 or later.
Affected Systems and Versions
All versions of Juniper Networks Apstra prior to version 6.1.1 are vulnerable. The affected version range begins from the initial release (version 0) and extends through every release up to but not including 6.1.1.
- Affected: Apstra versions 0 through 6.1.0 (inclusive)
- Fixed: Apstra version 6.1.1 and all subsequent releases
The vulnerable configuration is the default SSH implementation used for outbound connections from the Apstra server to managed network devices. No special or non default configuration is required to be vulnerable.
Vendor Security History
Juniper Networks, now part of Hewlett Packard Enterprise, has a history of security issues that have attracted threat actor attention. In 2023, vulnerabilities in Juniper SRX and EX series devices saw confirmed real world exploitation, as documented by Rapid7. This historical precedent is relevant context for CVE-2025-13914: while no active exploitation has been confirmed at the time of this writing, the pattern of threat actors targeting Juniper infrastructure suggests that organizations should not wait for exploitation to begin before patching.
Multiple international cybersecurity authorities, including GovCERT HK and CERT Austria, issued alerts regarding this vulnerability shortly after its disclosure, reflecting the seriousness with which the security community is treating this issue.
References
- Juniper Security Bulletin: Apstra SSH Host Key Validation Vulnerability (JSA107862)
- NVD Entry for CVE-2025-13914
- CVE Record for CVE-2025-13914
- Tenable CVE-2025-13914
- Juniper KB Article JSA107862
- GovCERT HK Alert: Juniper Networks Product Vulnerabilities
- CERT Austria Daily Summary, April 8, 2026
- Rapid7: Exploitation of Juniper Networks SRX and EX Series Devices (2023)
