CVE-2025-59980 MEDIUM

CVE-2025-59980: Junos OS: When a user with the name ftp or anonymous is configured unauthenticated filesystem access is allowed

Vendor Juniper Networks
Product Junos OS
Weakness CWE-305
Published October 9, 2025
Last update October 10, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

An Authentication Bypass by Primary Weakness in the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device. When the FTP server is enabled and a user named "ftp" or "anonymous" is configured, that user can login without providing the configured password and then has read-write access to their home directory. This issue affects Junos OS:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2.

Key dates

02Disclosure timeline

October 9, 2025 CVE published
October 10, 2025 Record updated