Hackers Actively Scanning for Juniper Smart Routers Using Default Passwords

Recent cybersecurity findings reveal an alarming increase in malicious activity targeting Juniper’s Session Smart Networking Platform (SSR).

According to SANS tech reports, Attackers are focusing their efforts on exploiting devices using the default credentials, “t128” as the username and “128tRoutes” as the password, which are remnants from Juniper’s acquisition of 128 Technologies.

The surge in scanning activity raises significant concerns for organizations relying on these smart routers.

Incident Details

From March 23 to March 28, 2025, cybersecurity experts recorded a spike in scans specifically probing for the “t128” username.

Approximately 3,000 unique IP addresses were involved in these scans, indicating coordinated botnet activity, likely tied to a “Mirai-type” botnet.

Such botnets typically exploit known vulnerabilities or weak security configurations to compromise devices en masse.

What makes these scans particularly troubling is the fact that the default credentials for Juniper’s SSR platform have remained unchanged since its integration into Juniper’s portfolio.

Despite the product’s evolution, the username and password from its 128 Technologies roots persist in the documentation, which is easily accessible online. Hackers are now leveraging this publicly available information to locate vulnerable devices.

Impact on Organizations

Juniper’s Session Smart Routing is widely used for intelligent networking and traffic optimization.

Exploiting default credentials could give attackers unauthorized access, potentially leading to data exfiltration, lateral movement within networks, or even a hijacking of routing operations.

Devices left unsecured could become part of larger botnets, amplifying the impact of cyberattacks globally.

Worryingly, there have been reports from users indicating challenges in changing default passwords for the “root” or “t128” accounts.

The process reportedly lacks clarity, leaving some users exposed despite efforts to secure their devices. This could exacerbate the issue as organizations struggle to implement proper remediation measures.

Recommendations

For organizations using Juniper’s SSR devices, immediate action is imperative:

1. Change Default Credentials: Ensure that the default “t128” account password is updated to a strong, unique password. If the password change process is unclear, consult Juniper’s technical support or documentation.
2. Review Access Controls: Regularly audit device settings to confirm all accounts are properly secured. Disable unnecessary accounts or permissions.
3. Monitor for Unusual Activity: Use intrusion detection systems to identify potential brute-force attempts or unauthorized logins targeting SSR devices.
4. Update Firmware: Keep devices updated to the latest firmware version to mitigate vulnerabilities.

As cyberattacks continue to evolve, hackers are quick to exploit overlooked security flaws, such as default credentials.

The recent surge in scans targeting Juniper’s SSR platform serves as a stark reminder for organizations to prioritize basic security hygiene.

Default passwords are low-hanging fruit for attackers, and leaving such credentials unchanged creates unnecessary risk exposure.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!