Analysis Summary

A significant spike in malicious scanning activity targeting Juniper Networks' Session Smart Router (SSR) platform occurred between March 23rd and March 28th, 2025, according to recent findings by Researcher.

Over 3,000 unique IP addresses were observed participating in a highly coordinated campaign seeking to exploit SSR devices still using factory-default credentials. These include the widely known combinations: username “t128” or “root” with password “128tRoutes”—credentials that remain unchanged in many deployments. The synchronized pattern of scanning activity, as visualized in the Report, strongly suggests the use of automated attack tools designed to exploit misconfigured devices.

The source of these credentials traces back to Juniper’s acquisition of 128 Technology in 2020. Juniper retained the original configuration defaults from the 128T platform, and these have since become a known vulnerability vector. Despite Juniper's clear documentation of the default accounts and login information, many administrators have failed to change them post-installation, leaving SSR devices exposed to brute-force and credential-based attacks. The dramatic rise and fall of scanning within a short time frame points to an organized, time-limited effort, likely leveraging scripts or malware payloads that automate discovery and exploitation.

Security researchers suspect the involvement of Mirai botnet operations, given the malware’s known behavior of exploiting default credentials and targeting IoT and networking devices. Mirai campaigns, particularly active since late 2024, include SSH scanners using credential dictionaries that match the SSR defaults. Once access is gained, compromised devices can be enlisted into botnets to perform distributed denial-of-service (DDoS) attacks, amplifying their threat beyond the initial breach. This scanning activity may also be linked to Juniper’s recent patch in February 2025 (CVE-2025-21589), which addressed a critical authentication bypass flaw in the same platform. Attackers may be seeking to exploit unpatched systems in addition to default credentials.

To mitigate these threats, security experts recommend immediate changes to default credentials, limiting SSH access from untrusted sources, and ensuring strong, unique passwords are used. It's essential that all SSR systems are updated to the latest firmware and monitored for suspicious SSH attempts or scanning behavior. In cases where compromise is suspected, Juniper advises full reimaging of the affected devices to eliminate hidden malware or unauthorized modifications. This incident underscores the ongoing risk posed by unchanged default credentials and highlights the need for proactive security hygiene in network infrastructure.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Security Bypass
• Denial of Service

Indicators of Compromise

CVE

• CVE-2025-21589

Affected Vendors

Remediation

• Update the default usernames and passwords (root/128tRoutes and t128/128tRoutes) using Juniper’s documented procedures.
• Block or limit SSH access from arbitrary or untrusted internet sources by configuring firewalls or access control lists (ACLs).
• Avoid predictable patterns; use complex passwords that include a mix of letters, numbers, and symbols for all accounts.
• Apply all recent patches, especially the February 2025 fix for CVE-2025-21589 to mitigate the risk of authentication bypass.
• Regularly check logs for unusual SSH login attempts, port scans, or spikes in traffic related to Mirai-like behavior.
• If compromise is suspected, fully reimage affected SSR systems to ensure complete removal of potential malware or unauthorized changes.
• Isolate critical networking devices like SSRs from the broader network to minimize lateral movement if a breach occurs.
• Subscribe to Juniper’s security alerts and regularly review threat intelligence sources for updates on SSR vulnerabilities.