📄 Description (English)
A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM
attacker to impersonate managed devices.
Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials.
This issue affects all versions of Apstra before 6.1.1.
🤖 AI Executive Summary
CVE-2025-13914 is a critical SSH authentication bypass vulnerability in Juniper Networks Apstra that allows unauthenticated attackers to perform man-in-the-middle attacks on SSH connections to managed devices. The vulnerability stems from insufficient SSH host key validation, enabling attackers to impersonate managed devices and capture user credentials. All Apstra versions before 6.1.1 are affected, with no patch currently available, making this an urgent threat to network infrastructure management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 20:19
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risks to Saudi critical infrastructure operators, particularly: (1) ARAMCO and energy sector organizations using Apstra for network device management—attackers could intercept credentials and compromise SCADA/ICS systems; (2) SAMA-regulated financial institutions managing network infrastructure—credential theft could enable lateral movement to banking systems; (3) Government entities (NCA, NCSC) and telecommunications providers (STC, Mobily) relying on Apstra for managed device orchestration; (4) Healthcare organizations managing networked medical devices. The MITM capability enables credential harvesting at scale across managed device fleets, with potential for supply chain compromise of network infrastructure.
🏢 Affected Saudi Sectors
Energy (ARAMCO, oil & gas operations)
Banking and Financial Services (SAMA-regulated institutions)
Government (NCA, NCSC, federal agencies)
Telecommunications (STC, Mobily, Zain)
Healthcare (hospitals, medical device networks)
Critical Infrastructure (water, utilities)
Defense and Military
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.1
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Apstra deployments in your environment and document versions (all versions <6.1.1 are vulnerable)
2. Isolate Apstra management servers from untrusted networks; restrict SSH access to managed devices through Apstra to authorized networks only
3. Implement network segmentation: place Apstra servers and managed devices on isolated VLANs with strict firewall rules
4. Enable SSH connection logging and monitoring for all Apstra-to-device communications
Compensating Controls (until patch available):
5. Deploy SSH proxy/bastion host between Apstra and managed devices with strict host key pinning and validation
6. Implement certificate-based authentication where possible; disable password-based SSH authentication
7. Monitor for suspicious SSH connections: failed authentication attempts, unexpected source IPs, unusual command patterns
8. Use VPN/IPSec tunnels for all Apstra-to-device communications to prevent MITM attacks
9. Implement SSH host key verification scripts on managed devices to detect unauthorized connections
Detection Rules:
10. Alert on SSH connections from Apstra servers with mismatched host keys
11. Monitor for multiple failed SSH authentication attempts from Apstra management interface
12. Track changes to SSH authorized_keys files on managed devices
13. Log all credential usage originating from Apstra management sessions
Patching:
14. Upgrade to Apstra 6.1.1 or later immediately upon availability
15. Test patches in isolated lab environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات Apstra في بيئتك وقثق الإصدارات (جميع الإصدارات <6.1.1 معرضة للخطر)
2. عزل خوادم إدارة Apstra عن الشبكات غير الموثوقة؛ قيد وصول SSH للأجهزة المدارة عبر Apstra إلى الشبكات المصرح بها فقط
3. تنفيذ تقسيم الشبكة: ضع خوادم Apstra والأجهزة المدارة على شبكات VLAN معزولة مع قواعد جدار حماية صارمة
4. تفعيل تسجيل المراقبة لجميع اتصالات Apstra إلى الأجهزة
الضوابط البديلة (حتى توفر التصحيح):
5. نشر وكيل SSH/خادم حصن بين Apstra والأجهزة المدارة مع تثبيت مفاتيح المضيف الصارم والتحقق
6. تنفيذ المصادقة القائمة على الشهادات حيث أمكن؛ تعطيل المصادقة القائمة على كلمة المرور SSH
7. مراقبة اتصالات SSH المريبة: محاولات المصادقة الفاشلة، عناوين IP غير المتوقعة، أنماط الأوامر غير العادية
8. استخدم نفق VPN/IPSec لجميع اتصالات Apstra إلى الأجهزة لمنع هجمات MITM
9. تنفيذ نصوص التحقق من مفاتيح مضيف SSH على الأجهزة المدارة للكشف عن الاتصالات غير المصرح بها
قواعد الكشف:
10. تنبيه على اتصالات SSH من خوادم Apstra مع عدم تطابق مفاتيح المضيف
11. مراقبة محاولات المصادقة الفاشلة المتعددة من واجهة إدارة Apstra
12. تتبع التغييرات في ملفات authorized_keys على الأجهزة المدارة
13. تسجيل جميع استخدام بيانات الاعتماد من جلسات إدارة Apstra
التصحيح:
14. ترقية إلى Apstra 6.1.1 أو أحدث فوراً عند توفره
15. اختبر التصحيحات في بيئة معملية معزولة قبل نشر الإنتاج
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.8.2.1 - User authentication and access control
ECC 2024 A.8.2.3 - Management of privileged access rights
ECC 2024 A.8.3.1 - Password management
ECC 2024 A.13.1.1 - Information security policies and procedures
ECC 2024 A.13.2.1 - Access control to information systems
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Hardware and software assets are inventoried
SAMA CSF PR.AC-1 - Identities and credentials are issued, managed, verified, revoked and audited
SAMA CSF PR.AC-3 - Remote access is managed
SAMA CSF PR.DS-2 - Data in transit is protected
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information security policies
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.9.2 - User access provisioning
ISO 27001:2022 A.9.4 - Access rights review
ISO 27001:2022 A.10.1 - Cryptography
ISO 27001:2022 A.13.1 - Network security
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Establish configuration standards for system components
PCI DSS 2.2.4 - Configure system security parameters to prevent misuse
PCI DSS 8.1 - Assign unique user ID to each person with computer access
PCI DSS 8.2 - Ensure proper user authentication
PCI DSS 8.3 - Restrict access to cardholder data by business need to know
🔗 References & Sources 1