Juniper Networks is rolling out updates for some smart routers. The key is to install them quickly, as the updates close large and serious leaks.

Juniper Networks routers have been affected by a critical leak. The CVE-2024-2973 bug receives a score of ten out of ten on both CVSS 3.1 and CVSS 4. This exceptional score highlights how critical the vulnerability is.

Affected devices

The leak affects routers that are set up in a high availability configuration. It allows attackers on the network to completely bypass authentication and thus gain full control over the devices. The following devices and firmware are vulnerable, according to Juniper:

Session Smart Router:

• All versions older than 5.6.15,
• From 6.0 to version 6.1.9-lts,
• From 6.2 to version 6.2.5-sts.

Smart Conductor of the session:

• All versions older than 5.6.15,
• From 6.0 to version 6.1.9-lts,
• From 6.2 to version 6.2.5-sts.

WAN Assurance Router:

• From 6.0 to version 6.1.9-lts,
• From 6.2 to version 6.2.5-sts.

Juniper says it is not aware of any active abuse to date. However, the flaw can be a powerful tool for attackers who can use the routers to gain extensive control over the network.

Users should upgrade to firmware SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts or later as soon as possible. For MIST-managed WAN Assurance routers connected to the MIST cloud, Juniper has already automatically applied the patch.