CVE-2024-2973— Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-2973
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed
Source: NVD (National Vulnerability Database)
Vulnerability Description
An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device. Only routers or conductors that are running in high-availability redundant configurations are affected by this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue affects: Session Smart Router: * All versions before 5.6.15, * from 6.0 before 6.1.9-lts, * from 6.2 before 6.2.5-sts. Session Smart Conductor: * All versions before 5.6.15, * from 6.0 before 6.1.9-lts, * from 6.2 before 6.2.5-sts. WAN Assurance Router: * 6.0 versions before 6.1.9-lts, * 6.2 versions before 6.2.5-sts.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用候选路径或通道进行的认证绕过
Source: NVD (National Vulnerability Database)
Vulnerability Title
Session Smart Router 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Session Smart Router是Juniper的旨在为用户提供卓越的连接体验,路由器基于应用程序感知和零信任安全网络结构构建,可满足最严格的企业性能、安全性和可用性要求。 Session Smart Router存在安全漏洞,该漏洞源于智能路由器或导体中使用备用路径或通道绕过身份验证,允许基于网络的攻击者绕过身份验证并完全控制设备。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Juniper Networks | Session Smart Router | 0 ~ 5.6.15 | - | |
| Juniper Networks | Session Smart Conductor | 0 ~ 5.6.15 | - | |
| Juniper Networks | WAN Assurance Router | 6.0 ~ 6.1.9-lts | - |
II. Public POCs for CVE-2024-2973
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-2973
请登录查看更多情报信息。
- https://supportportal.juniper.net/JSA83126vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-2973
IV. Related Vulnerabilities
Same vendor: Juniper Networks
- CVE-2026-33791
Junos OS and Junos OS Evolved: Execution of crafted CLI comm - CVE-2026-33790
Junos OS: SRX Series: In a NAT64 configuration, receipt of a - CVE-2026-33787
Junos OS: SRX1500, SRX4100, SRX4200, SRX4600: When a specifi - CVE-2026-33785
Junos OS: MX Series: Missing Authorization for specific 'req - CVE-2026-33784
JSI Virtual Lightweight Collector: Default password is not r
Same weakness: CWE-288
- CVE-2026-41308
Password Pusher: JSON API `/p.json` file upload alias bypass - CVE-2026-7458
User Verification by PickPlugins <= 2.0.46 - Unauthenticated - CVE-2026-7567
Temporary Login <= 1.0.0 - Authentication Bypass to Account - CVE-2026-40022
Apache Camel Platform HTTP Main: Authentication Bypass on No - CVE-2026-40630
SenseLive X3050 Authentication bypass using an alternate pat
V. Comments for CVE-2024-2973
No comments yet