CVE Alert: CVE-2025-11198 – Juniper Networks – Security Director Policy Enforcer
CVE-2025-11198
A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones. If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker’s uploaded image to VMware NSX instead of a legitimate one. This issue affects Security Director Policy Enforcer: * All versions before 23.1R1 Hotpatch v3. This issue does not affect Junos Space Security Director Insights.
AI Summary Analysis
Risk verdict
High risk with an unauthenticated network capability to substitute legitimate vSRX images; patching and mitigations should be treated as urgent.
Why this matters
If exploited, an attacker could deliver malicious images to VMware NSX, undermining firewall/VPN protections and potentially enabling further network access or lateral moves across trusted segments. The impact is heightened by the broad scope of the affected deployment and the possibility of tampering with security policy enforcement without immediate detection.
Most likely attack path
An attacker exploits the API/deployment workflow to substitute images during a trusted deployment flow. With network access and no required privileges, the actor relies on a user-initiated action to trigger the replacement, and a changed scope could affect additional components beyond the initial target. Detection complexity is increased by legitimate deployment activity.
Who is most exposed
Organizations deploying Security Director Policy Enforcer in environments tightly integrated with VMware NSX (on-premises or hybrid) are most at risk, especially where automated image deployment workflows exist and where access controls to the enforcer are lax.
Detection ideas
- Unusual image upload/deployment events tied to the policy enforcer, especially for vSRX images.
- Image hash or fingerprint mismatches against known-good baselines.
- API access logs showing unauthorised or anomalous deployment requests.
- NSX image import actions inconsistent with standard change tickets.
- Unexpected changes in policy-enforcer activity around image deployment times.
Mitigation and prioritisation
- Apply updates: 23.1 Hotpatch v3, 24.1R4 or later.
- Rotate secrets across devices after upgrading.
- Tighten access: ACLs/IP allowlists for the enforcer API; require MFA where feasible.
- Enforce strict change-management for image deployments; disable auto-replace workflows.
- Validate image provenance and integrity; increase logging and alerting around deployment events.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
