Which versions of Microsoft are affected by CVE-2025-13914?

CVE-2025-13914 in Juniper Networks Apstra allows unauthenticated attackers positioned on the network to impersonate managed devices and intercept credentials through insufficient SSH host key…. A patch is available.

How to fix or mitigate CVE-2025-13914?

Within 24 hours: Identify all Apstra deployments and document current versions via administrative console. Within 7 days: Upgrade all Apstra instances to version 6.1.1 or later per Juniper vendor advisory. Within 30 days: Audit SSH connection logs for anomalies, rotate credentials for all network devices managed by Apstra, and implement network segmentation to restrict Apstra-to-device communication paths.

Microsoft CVE-2025-13914

Q: What is the CVSS score of CVE-2025-13914?

CVE-2025-13914 has a CVSS 4.0 base score of 7.0 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-209397 HIGH

Key Exchange without Entity Authentication (CWE-322)

2026-04-09 sirt@juniper.net

GHSA-3gg3-cwcp-3cpw

Information Disclosure Microsoft Juniper

7.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:59 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

6.1.1

EUVD ID Assigned

Apr 09, 2026 - 22:22 euvd

EUVD-2025-209397

Analysis Generated

Apr 09, 2026 - 22:22 vuln.today

CVE Published

Apr 09, 2026 - 22:16 nvd

HIGH 7.0

DescriptionNVD

A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM

attacker to impersonate managed devices.

Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials.

This issue affects all versions of Apstra before 6.1.1.

AnalysisAI

Man-in-the-middle attack against Juniper Networks Apstra allows unauthenticated attackers to impersonate managed network devices and capture credentials due to insufficient SSH host key validation. The vulnerability affects all Apstra versions before 6.1.1, enabling interception of SSH connections between the Apstra orchestration platform and managed infrastructure. No public exploit identified at time of analysis, though the attack requires network positioning between Apstra and target devices.

Technical ContextAI

CWE-322 key exchange flaw: Apstra SSH client fails to properly validate server host keys during connection establishment to managed devices. This missing cryptographic identity verification permits MITM attackers with network access to present forged host keys, breaking the authentication chain and enabling session hijacking without cryptographic detection.

RemediationAI

Vendor-released patch: Upgrade to Juniper Networks Apstra version 6.1.1 or later, which implements proper SSH host key validation. Review SSH connection logs for anomalous host key changes or connection patterns that may indicate prior exploitation. Implement network segmentation to restrict MITM attack surface between Apstra management plane and managed device infrastructure. Rotate credentials for accounts used in device management if compromise is suspected. Full vendor advisory available at https://kb.juniper.net/JSA107862 with detailed upgrade procedures and additional security guidance.