Platform
linux
Component
apstra
Fixed in
6.1.1
CVE-2025-13914 describes a Key Exchange without Entity Authentication vulnerability within the SSH implementation of Juniper Networks Apstra. This flaw allows an unauthenticated attacker to execute a man-in-the-middle (MITM) attack, potentially impersonating managed devices and compromising sensitive data. The vulnerability impacts all Apstra versions prior to 6.1.1, and a fix is available in version 6.1.1.
The primary impact of CVE-2025-13914 is the potential for a MITM attack on SSH connections between Apstra and its managed devices. A successful attacker can intercept and potentially modify network traffic, leading to unauthorized access and control. This could involve capturing user credentials used for authentication, enabling the attacker to impersonate legitimate devices and execute malicious commands. The blast radius extends to any device managed by Apstra, as the attacker can leverage the compromised SSH connection to gain a foothold within the network. This vulnerability shares similarities with other SSH-related MITM attacks, highlighting the importance of robust host key validation.
CVE-2025-13914 was published on 2026-04-09. The vulnerability’s CVSS score of 8.7 (HIGH) indicates a significant risk. Public proof-of-concept (POC) code is currently unavailable, but the nature of the vulnerability suggests that exploitation is possible. It is not currently listed on the CISA KEV catalog. Active campaigns exploiting this vulnerability are not currently known, but the ease of MITM attacks warrants careful monitoring.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13914 is to upgrade Apstra to version 6.1.1 or later, which includes the necessary fixes for the SSH host key validation issue. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strengthening SSH key management practices, including stricter key rotation policies and limiting SSH access to authorized users only. Network segmentation can also reduce the potential impact by isolating Apstra from critical network segments. Monitor SSH connections for unusual activity and implement intrusion detection systems (IDS) to identify and block suspicious traffic. After upgrading, confirm the fix by verifying that SSH host key validation is functioning correctly and that no unauthorized devices are attempting to connect.
Update Apstra to version 6.1.1 or later to mitigate the SSH host key validation vulnerability. This update corrects the way Apstra validates SSH host keys, preventing man-in-the-middle attacks and protecting user credentials.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13914 is a HIGH severity vulnerability in Juniper Apstra allowing an unauthenticated attacker to perform a man-in-the-middle attack on SSH connections, potentially impersonating managed devices.
If you are using Juniper Apstra versions 0.0.0 through 6.1.1, you are potentially affected by this vulnerability. Upgrade to version 6.1.1 or later to mitigate the risk.
The recommended fix is to upgrade to Juniper Apstra version 6.1.1 or later. If an immediate upgrade is not possible, implement temporary workarounds such as strengthening SSH key management.
While active exploitation is not currently confirmed, the vulnerability's nature suggests a potential for exploitation, and careful monitoring is advised.
Refer to the official Juniper Security Advisory for CVE-2025-13914 on the Juniper Networks website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.