How to fix CVE-2025-13914?

Within 24 hours: Identify all Apstra deployments and document current versions (vulnerable if <6.1.1); isolate Apstra orchestration network segments and restrict SSH access to managed devices to trusted networks only. Within 7 days: Upgrade all Apstra instances to version 6.1.1 or later per Juniper vendor advisory; validate SSH host key acceptance policies are enforced. Within 30 days: Conduct credential audit for all device accounts managed by Apstra; rotate SSH keys and credentials for network infrastructure; implement network segmentation controls and monitor for unauthorized device access.

Is Microsoft affected by CVE-2025-13914?

CVE-2025-13914 affects Juniper Networks Apstra network orchestration platform, allowing unauthenticated attackers positioned on the network to intercept SSH communications and impersonate managed devices, potentially compromising credentials for critical infrastructure control systems.

CVE-2025-13914

Q: Is Microsoft affected by CVE-2025-13914?

CVE-2025-13914 affects Juniper Networks Apstra network orchestration platform, allowing unauthenticated attackers positioned on the network to intercept SSH communications and impersonate managed devices, potentially compromising credentials for critical infrastructure control systems.

EUVD-2025-209397 HIGH

2026-04-09 [email protected]

GHSA-3gg3-cwcp-3cpw

7.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 22:22 euvd

EUVD-2025-209397

Analysis Generated

Apr 09, 2026 - 22:22 vuln.today

CVE Published

Apr 09, 2026 - 22:16 nvd

HIGH 7.0

Description

A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials. This issue affects all versions of Apstra before 6.1.1.

Analysis

Man-in-the-middle attack against Juniper Networks Apstra allows unauthenticated attackers to impersonate managed network devices and capture credentials due to insufficient SSH host key validation. The vulnerability affects all Apstra versions before 6.1.1, enabling interception of SSH connections between the Apstra orchestration platform and managed infrastructure. No public exploit identified at time of analysis, though the attack requires network positioning between Apstra and target devices.

Technical Context

CWE-322 key exchange flaw: Apstra SSH client fails to properly validate server host keys during connection establishment to managed devices. This missing cryptographic identity verification permits MITM attackers with network access to present forged host keys, breaking the authentication chain and enabling session hijacking without cryptographic detection.

Affected Products

Juniper Networks Apstra, all versions prior to 6.1.1. Vendor: Juniper Networks. No CPE data provided in source intelligence.

Remediation

Vendor-released patch: Upgrade to Juniper Networks Apstra version 6.1.1 or later, which implements proper SSH host key validation. Review SSH connection logs for anomalous host key changes or connection patterns that may indicate prior exploitation. Implement network segmentation to restrict MITM attack surface between Apstra management plane and managed device infrastructure. Rotate credentials for accounts used in device management if compromise is suspected. Full vendor advisory available at https://kb.juniper.net/JSA107862 with detailed upgrade procedures and additional security guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +35

POC: 0

CVE-2025-13914 vulnerability details – vuln.today

Back

CVE-2025-13914

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-13914

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code