CVE-2025-60010 is a vulnerability classified under CWE-262 (Not Using Password Aging) affecting Juniper Networks Junos OS and Junos OS Evolved. The flaw exists in the RADIUS client implementation, where the system fails to enforce password expiration policies properly. When a RADIUS server responds with a reject due to an expired password and requires a password change, the Junos device erroneously allows login with the expired but correct password instead of forcing a password update. This means that authenticated users whose passwords have expired can bypass the password aging enforcement and maintain access without updating credentials. The vulnerability affects all versions of Junos OS and Junos OS Evolved before the patched releases 22.4R3-S8, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, and 24.4R1-S3/24.4R2 and their EVO counterparts. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low complexity, requiring privileges but no user interaction, and limited confidentiality and integrity impact without availability impact. No public exploits are known, but the flaw could be leveraged by an authenticated attacker to maintain unauthorized access, undermining password policy controls and potentially facilitating lateral movement or persistent access within a network environment.

For European organizations, this vulnerability poses a risk to network device security by allowing authenticated users to bypass password expiration policies, potentially leading to unauthorized prolonged access. This undermines internal security controls designed to enforce credential hygiene and increases the risk of credential compromise or misuse. Confidentiality and integrity of network management sessions could be compromised, enabling attackers to alter configurations or intercept sensitive data. Although availability is not directly impacted, the persistence of expired credentials could facilitate further attacks or unauthorized changes. Organizations in sectors with stringent compliance requirements (e.g., finance, government, critical infrastructure) may face regulatory risks if password policies are not properly enforced. The vulnerability is particularly concerning for large enterprises and service providers relying on Juniper devices for core routing and security functions, as it could be exploited to maintain footholds in critical network infrastructure.

European organizations should immediately identify and inventory all Juniper Networks devices running affected Junos OS and Junos OS Evolved versions. They must prioritize applying the vendor-released patches starting from versions 22.4R3-S8 and later as specified. Until patches are applied, organizations should enforce compensating controls such as restricting RADIUS authentication to trusted networks, implementing multi-factor authentication (MFA) for device access, and monitoring authentication logs for anomalous login patterns involving expired credentials. Network segmentation should limit access to management interfaces. Additionally, reviewing and tightening password policies on RADIUS servers and ensuring they are synchronized with device configurations can reduce risk. Regular audits of user accounts and forced password resets can help mitigate the impact. Finally, organizations should update incident response plans to detect and respond to potential misuse of expired credentials.