Juniper Networks’ Session Smart Routing (SSR) platform has recently become the focus of a significant cybersecurity concern.
Between March 23 and March 28, over 3,000 unique IP addresses were observed scanning for the default username “t128” and its associated password “128tRoutes.”
This surge highlights vulnerabilities stemming from unchanged default credentials on SSR devices—a critical issue that has persisted since Juniper acquired 128 Technologies in 2020.
Background on the Vulnerability
The SSR platform, originally developed by 128 Technologies, retained its default credentials even after its integration into Juniper’s product portfolio.
These credentials are publicly documented and easily exploitable, making devices with unaltered settings attractive targets for cybercriminals.
While Juniper has patched critical vulnerabilities in SSR devices in recent years, default credentials remain a weak point that attackers frequently exploit.
The Recent Surge in Scanning Activity
The scans observed last week are believed to be part of a “Mirai-type” botnet campaign.
Mirai botnets are notorious for leveraging default credentials to compromise devices and integrate them into large-scale networks used for distributed denial-of-service (DDoS) attacks.
Indicators suggest that the scanning activity targeted SSH services on SSR devices, aiming to exploit the default “t128” account for administrative access.
Implications for Organizations
Devices with unchanged default credentials are highly vulnerable to compromise. Once exploited, they can be co-opted into botnets or used as entry points for further attacks.
This is particularly concerning given Juniper’s SSR platform’s widespread use in enterprise environments, where compromised routers could lead to significant disruptions.
Recommendations
To mitigate these risks, administrators must take immediate action:
- Change Default Credentials: Update the passwords for both “t128” and “root” accounts using the secure practices outlined in Juniper’s documentation.
- Apply Security Updates: Ensure all SSR devices are running patched software versions to address known vulnerabilities like CVE-2025-21589.
- Monitor Network Traffic: Look for signs of compromise, such as unusual outbound traffic spikes or failed SSH login attempts from malicious IPs.
- Disable Unnecessary Services: Turn off remote access features if not required to reduce exposure.
The recent surge in scanning activity underscores the importance of securing network devices against exploitation.
Organizations using Juniper SSR routers must prioritize changing default credentials and applying security patches to safeguard their infrastructure.
As botnets grow more sophisticated, proactive measures remain crucial in defending against emerging threats.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This surge highlights vulnerabilities stemming from unchanged default credentials on SSR devices—a critical issue that has persisted since Juniper acquired 128 Technologies in 2020.){kind=link}