Description
A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM

attacker to impersonate managed devices.

Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials.

This issue affects all versions of Apstra before 6.1.1.
Published: 2026-04-09
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Impersonation of Managed Devices via SSH MitM
Action: Immediate Patch
AI Analysis

Impact

Juniper Networks Apstra contains a Key Exchange without Entity Authentication flaw in its SSH implementation that allows an unauthenticated attacker to perform a man-in-the-middle on the connections between Apstra and its managed devices. The lack of proper host key validation lets the attacker impersonate a managed device and capture credentials transmitted over SSH. The vulnerability is classified as CWE-322, reflecting the absence of safe authentication in the key exchange process.

Affected Systems

The flaw affects every Apstra release prior to 6.1.1. Systems running 6.1.1 or any later release are not vulnerable. This includes all versions deployed by Juniper Networks customers for device management.

Risk and Exploitability

The CVSS v3.1 score of 7.0 denotes high severity, but EPSS data is not available and the issue is not listed in the CISA KEV catalog. The attack requires the ability to intercept network traffic between Apstra and its target devices; an unauthenticated attacker who can position themselves in that path can execute a MitM and impersonate the device. Because the vulnerability is network-based and does not require privileged access to Apstra, the likelihood of exploitation in exposed environments remains a significant threat.

Generated by OpenCVE AI on April 10, 2026 at 00:24 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: Apstra 6.1.1, and all subsequent releases.

Vendor Workaround

There are no known workarounds for this issue.

OpenCVE Recommended Actions

  • Upgrade Apstra to version 6.1.1 or later to apply the vendor patch that resolves the SSH host key validation flaw.
  • No known workaround available.

Generated by OpenCVE AI on April 10, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107862 cve-icon cve-icon
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks apstra
Vendors & Products Juniper Networks
Juniper Networks apstra

Thu, 09 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials. This issue affects all versions of Apstra before 6.1.1.
Title Apstra: SSH host key validation vulnerability for managed devices
Weaknesses CWE-322
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/R:U/RE:M'}

Subscriptions

Juniper Networks Apstra
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-09T21:32:14.834Z

Reserved: 2025-12-02T17:48:47.280Z

Link: CVE-2025-13914

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:22.697

Modified: 2026-04-09T22:16:22.697

Link: CVE-2025-13914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:57Z

Weaknesses