"Juniper Junos OS CVE-2025-6549: J-Web Exposed on Additional SRX Interfaces"

If you run Juniper SRX Series firewalls, a Junos OS advisory published in July 2025 is worth a careful look. CVE-2025-6549 is an incorrect-authorization flaw that can leave the J-Web management interface reachable on interfaces where it was never meant to be exposed. The practical effect is a wider attack surface on the very devices you deploy to shrink it.
This post lays out exactly what the vulnerability is, which versions are affected, how serious it is, how to check whether your fleet is exposed, and the patched releases Juniper has shipped. Everything below is drawn from Juniper's security bulletin and the NVD record, with sources listed at the end.
What happened
Juniper Networks disclosed an incorrect-authorization vulnerability in the web server component of Junos OS on SRX Series devices. Under specific configurations, the Juniper Web Device Manager (J-Web) UI becomes reachable over more interfaces than the configuration intends.
Per Juniper, the condition arises when Juniper Secure Connect (JSC) is enabled on certain interfaces, or when multiple interfaces are configured for J-Web. In those cases the access controls that should restrict J-Web to its intended management interface don't fully apply, and an unauthenticated, network-based attacker can reach the J-Web login surface on an interface that should have blocked it. This is an exposure/access-control issue: the flaw is about reachability of the interface, not a direct remote-code-execution bug in J-Web itself.
Affected products and versions
The vulnerability affects Junos OS on SRX Series only. The version boundaries published by Juniper and reflected in the NVD record are below.
| Product | Affected | Fixed |
|---|---|---|
| Junos OS (SRX Series) | All versions before 21.4R3-S9 | 21.4R3-S9 |
| Junos OS (SRX Series) | 22.2 before 22.2R3-S5 | 22.2R3-S5 |
| Junos OS (SRX Series) | 22.4 before 22.4R3-S5 | 22.4R3-S5 |
| Junos OS (SRX Series) | 23.2 before 23.2R2-S3 | 23.2R2-S3 |
| Junos OS (SRX Series) | 23.4 before 23.4R2-S5 | 23.4R2-S5 |
| Junos OS (SRX Series) | 24.2 before 24.2R2 | 24.2R2 |
Juniper notes that 24.4R1 and all subsequent releases also contain the fix. If you are already running 24.4R1 or later, you are not affected by this issue.
How serious is it
Juniper and the NVD assign CVE-2025-6549 a CVSS 3.1 base score of 6.5 (Medium), with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Under the newer CVSS 4.0 scale it scores 6.9 (Medium), vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:M.
The scoring reflects the nature of the bug. It is network-reachable and requires no authentication or user interaction, but on its own it yields only low confidentiality and integrity impact — it widens what an attacker can reach, rather than handing over the device. The real risk is that an exposed J-Web surface becomes a foothold to chain with other weaknesses, and J-Web has a long history of more severe follow-on bugs.
On exploitation status: as of this writing, Juniper SIRT states it is not aware of any malicious exploitation of this vulnerability, and CVE-2025-6549 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog (verified against CISA's catalog, version 2026.06.23). That lowers urgency relative to an actively exploited bug, but it does not make patching optional — internet-facing management interfaces are a perennial target, and "not yet exploited" is not "won't be."
Am I exposed?
You are potentially exposed if all of the following are true:
- The device is an SRX Series firewall running Junos OS.
- It runs a version older than the fixed release for its train (see the table above).
- J-Web is enabled, and either Juniper Secure Connect is enabled on certain interfaces or J-Web is configured on multiple interfaces.
To check your running version from the CLI, use show version. To see where J-Web (the web management service) is enabled, review show configuration system services web-management and confirm which interfaces and zones it is bound to. Pay particular attention to any J-Web reachability from untrusted zones or WAN-facing interfaces — that is the scenario this flaw makes worse. If you cannot confirm that J-Web is restricted to a dedicated, trusted management path, treat the device as exposed until patched.
How to fix it
Patch to a fixed release. Upgrade Junos OS on affected SRX devices to the corresponding fixed version for your train:
- 21.4R3-S9
- 22.2R3-S5
- 22.4R3-S5
- 23.2R2-S3
- 23.4R2-S5
- 24.2R2
- 24.4R1 or later
Patching to the fixed release for your train is the complete remediation.
Interim mitigation if you cannot patch immediately. Juniper's recommended workaround is to limit where J-Web can be reached. Apply a firewall filter on all ingress interfaces over which J-Web is not meant to be reachable, or ensure your security policies do not permit those connections. As a broader hardening step, disable J-Web entirely if you don't use it, and otherwise restrict management access to a dedicated out-of-band or trusted management network rather than exposing it on data or WAN interfaces. These measures reduce the reachable attack surface but are not a substitute for the patch.
How Uniqcli helps
Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, and we work with federal, SLED, healthcare, and enterprise teams that run SRX fleets at scale. We can help you:
- Assess exposure — inventory your SRX devices, map running Junos versions against the affected ranges, and flag which units are exposed and how J-Web is reachable on each.
- Plan and support the upgrade — sequence Junos OS upgrades to the fixed releases with minimal disruption, and stage interim firewall-filter mitigations where an immediate maintenance window isn't available.
- Source patched or replacement hardware — if any units are end-of-support or otherwise can't take a fixed release, we can quote current SRX platforms that ship on supported, patched Junos trains.
Procurement runs through the channels your organization already uses, including TAA-compliant sourcing, GSA, and SEWP, so security remediation and acquisition compliance stay aligned. Reach out and we'll help you scope an SRX exposure assessment and a remediation path.