Juniper Junos OS RADIUS Password Aging pre-22.4R3 fail to enforce change
CVE-2025-60010 Published on October 9, 2025

Junos OS and Junos OS Evolved: Device allows login for user with expired password
A password aging vulnerability in the RADIUS client of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated, network-based attacker to access the device without enforcing the required password change. Affected devices allow logins by users for whom the RADIUS server has responded with a reject and required the user to change the password as their password was expired. Therefore the policy mandating the password change is not enforced. This does not allow users to login with a wrong password, but only with the correct but expired one. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S4, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S4-EVO, * 23.4 versions before 23.4R2-S5-EVO, * 24.2 versions before 24.2R2-S1-EVO, * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-60010 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Not Using Password Aging

If no mechanism is in place for managing password aging, users will have no incentive to update passwords in a timely manner. Security experts have often recommended that users change their passwords regularly and avoid reusing passwords. Although this can be an effective mitigation, if the expiration window is too short, it can cause users to generate poor or predictable passwords. As such, it is important to discourage creating similar passwords. It is also useful to have a password aging mechanism that notifies users when passwords are considered old and requests that they replace them with new, strong passwords. Companion documentation which stresses how important this practice is can help users understand and better support this approach.

Products Associated with CVE-2025-60010

stack.watch emails you whenever new vulnerabilities are published in Juniper Networks Junos or Juniper Networks Junos Os Evolved. Just hit a watch button to start following.

Juniper Networks Junos

Juniper Networks Junos Os Evolved

Affected Versions

Juniper Networks Junos OS:

Before 22.4R3-S8 is affected.
Version 23.2 and below 23.2R2-S4 is affected.
Version 23.4 and below 23.4R2-S5 is affected.
Version 24.2 and below 24.2R2-S1 is affected.
Version 24.4 and below 24.4R1-S3, 24.4R2 is affected.

Juniper Networks Junos OS Evolved:

Before 22.4R3-S8-EVO is affected.
Version 23.2 and below 23.2R2-S4-EVO is affected.
Version 23.4 and below 23.4R2-S5-EVO is affected.
Version 24.2 and below 24.2R2-S1-EVO is affected.
Version 24.4 and below 24.4R1-S3-EVO, 24.4R2-EVO is affected.

Exploit Probability

EPSS

0.05%

Percentile

14.90%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.