CVE-2025-11198— Security Director Policy Enforcer: An unrestricted API allows a network-based unauthenticated attacker to deploy malicious vSRX images to VMWare NSX Server

CVSS 7.4 · High EPSS 0.04% · P13 Updated Oct 10, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-11198

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Security Director Policy Enforcer: An unrestricted API allows a network-based unauthenticated attacker to deploy malicious vSRX images to VMWare NSX Server

Source: NVD (National Vulnerability Database)

Vulnerability Description

A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones. If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker's uploaded image to VMware NSX instead of a legitimate one. This issue affects Security Director Policy Enforcer: * All versions before 23.1R1 Hotpatch v3. This issue does not affect Junos Space Security Director Insights.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

关键功能的认证机制缺失

Source: NVD (National Vulnerability Database)

Vulnerability Title

Juniper Security Director Policy Enforcer 访问控制错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Juniper Security Director Policy Enforcer是美国瞻博（Juniper）公司的一个实现安全策略的集中下发与威胁响应自动化的模块。 Juniper Security Director Policy Enforcer 23.1R1 Hotpatch v3之前版本存在访问控制错误漏洞，该漏洞源于缺少关键功能身份验证，可能导致未经身份验证的攻击者替换合法vSRX镜像。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Juniper Networks	Security Director Policy Enforcer	0 ~ 23.1R1 Hotpatch v3	-

II. Public POCs for CVE-2025-11198

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-11198

请登录查看更多情报信息。

https://nvd.nist.gov/vuln/detail/CVE-2025-11198

Same Patch Batch · Juniper Networks · 2025-10-09 · 40 CVEs total

CVE-2025-59978	9.0 CRITICAL	Junos Space: Stored cross-site scripting vulnerability in web application
CVE-2025-59968	8.6 HIGH	Junos Space Security Director: Insufficient authorization for sensitive resources in web i
CVE-2025-59974	8.4 HIGH	Junos Space Security Director: Persistent Cross-Site Scripting (XSS) vulnerability
CVE-2025-60004	7.5 HIGH	Junos OS and Junos OS Evolved: Specific BGP EVPN update message causes rpd crash
CVE-2025-59964	7.5 HIGH	Junos OS: SRX4700: When forwarding-options sampling is enabled any traffic destined to the
CVE-2025-59975	7.5 HIGH	Junos Space: Flooding device with inbound API calls leads to WebUI and CLI management acce
CVE-2025-59957	6.8 MEDIUM	Junos OS: EX4600 Series and QFX5000 Series: An attacker with physical access can open a pe
CVE-2025-52961	6.5 MEDIUM	Junos OS Evolved: PTX Series except PTX10003: An unauthenticated adjacent attacker sending
CVE-2025-59980	6.5 MEDIUM	Junos OS: When a user with the name ftp or anonymous is configured unauthenticated filesys
CVE-2025-59976	6.5 MEDIUM	Junos Space: Arbitrary file download vulnerability in web interface
CVE-2025-59967	6.5 MEDIUM	Junos OS Evolved: ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509: When spe
CVE-2025-59958	6.5 MEDIUM	Junos OS Evolved: PTX Series: When a firewall filter rejects traffic these packets are err
CVE-2025-60009	6.1 MEDIUM	Junos Space: CLI Configlet page is vulnerable to reflected cross-site script injection
CVE-2025-59981	6.1 MEDIUM	Junos Space: Device Template Definition page is vulnerable to reflected cross-site script
CVE-2025-59982	6.1 MEDIUM	Junos Space: Dashboard Search field is vulnerable to reflected cross-site script injection
CVE-2025-59983	6.1 MEDIUM	Junos Space: Template Definition page is vulnerable to reflected cross-site script injecti
CVE-2025-59984	6.1 MEDIUM	Junos Space: Global Search is vulnerable to reflected cross-site script injection
CVE-2025-59985	6.1 MEDIUM	Junos Space: Purging Policy field is vulnerable to reflected cross-site script injection
CVE-2025-59986	6.1 MEDIUM	Junos Space: Input fields in Model Devices are vulnerable to reflected cross-site script i
CVE-2025-59988	6.1 MEDIUM	Junos Space: Generate Report page is vulnerable to reflected cross-site script injection

Showing top 20 of 40 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same vendor: Juniper Networks

Same weakness: CWE-306

V. Comments for CVE-2025-11198

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-11198— Security Director Policy Enforcer: An unrestricted API allows a network-based unauthenticated attacker to deploy malicious vSRX images to VMWare NSX Server

I. Basic Information for CVE-2025-11198

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-11198

III. Intelligence Information for CVE-2025-11198

Same Patch Batch · Juniper Networks · 2025-10-09 · 40 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-11198

Leave a comment