Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0583
Vulnerability from certfr_avis - Published: 2025-07-10 - Updated: 2025-07-10
De multiples vulnérabilités ont été découvertes dans les produits Juniper Networks. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Juniper Networks | Apstra | Apstra versions antérieures à 6.0.0 | ||
| Juniper Networks | Security Director | Security Director versions antérieures à 24.4.1-1703 | ||
| Juniper Networks | CTPView | CTPview versions antérieures à 9.3R2 | ||
| Juniper Networks | Junos OS Evolved | Junos OS Evolved versions antérieures à 21.4R3-S7-EVO, 22.2R3-S6-EVO, 22.2R3-S7-EVO, 22.3R3-S3-EVO, 22.4R3-S5-EVO, 22.4R3-S6-EVO, 22.4R3-S7-EVO, 23.2R2-EVO, 23.2R2-S1-EVO, 23.2R2-S3-EVO, 23.2R2-S4-EVO, 23.4R1-S2-EVO, 23.4R2-EVO, 23.4R2-S4-EVO, 23.4R2-S5-EVO, 24.2R1-EVO, 24.2R2-EVO, 24.2R2-S1-EVO, 24.4R1-EVO, 24.4R1-S2-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.1R1-EVO et 25.2R1-EVO | ||
| Juniper Networks | Junos OS | Junos OS versions antérieures à 21.2R3-S9, 21.4R3-S10, 21.4R3-S11, 21.4R3-S7, 21.4R3-S8, 21.4R3-S9, 22.2R3-S1, 22.2R3-S4, 22.2R3-S5, 22.2R3-S6, 22.2R3-S7, 22.3R3-S3, 22.4R2, 22.4R3-S2, 22.4R3-S5, 22.4R3-S6, 22.4R3-S7, 23.2R1, 23.2R2, 23.2R2-S1, 23.2R2-S3, 23.2R2-S4, 23.4R1-S2, 23.4R2, 23.4R2-S3, 23.4R2-S4, 23.4R2-S5, 24.2R1, 24.2R1-S1, 24.2R1-S2, 24.2R2, 24.2R2-S1, 24.4R1, 24.4R1-S2, 24.4R1-S3, 24.4R2 et 25.2R1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Apstra versions ant\u00e9rieures \u00e0 6.0.0",
"product": {
"name": "Apstra",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Security Director versions ant\u00e9rieures \u00e0 24.4.1-1703",
"product": {
"name": "Security Director",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "CTPview versions ant\u00e9rieures \u00e0 9.3R2",
"product": {
"name": "CTPView",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Junos OS Evolved versions ant\u00e9rieures \u00e0 21.4R3-S7-EVO, 22.2R3-S6-EVO, 22.2R3-S7-EVO, 22.3R3-S3-EVO, 22.4R3-S5-EVO, 22.4R3-S6-EVO, 22.4R3-S7-EVO, 23.2R2-EVO, 23.2R2-S1-EVO, 23.2R2-S3-EVO, 23.2R2-S4-EVO, 23.4R1-S2-EVO, 23.4R2-EVO, 23.4R2-S4-EVO, 23.4R2-S5-EVO, 24.2R1-EVO, 24.2R2-EVO, 24.2R2-S1-EVO, 24.4R1-EVO, 24.4R1-S2-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.1R1-EVO et 25.2R1-EVO",
"product": {
"name": "Junos OS Evolved",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Junos OS versions ant\u00e9rieures \u00e0 21.2R3-S9, 21.4R3-S10, 21.4R3-S11, 21.4R3-S7, 21.4R3-S8, 21.4R3-S9, 22.2R3-S1, 22.2R3-S4, 22.2R3-S5, 22.2R3-S6, 22.2R3-S7, 22.3R3-S3, 22.4R2, 22.4R3-S2, 22.4R3-S5, 22.4R3-S6, 22.4R3-S7, 23.2R1, 23.2R2, 23.2R2-S1, 23.2R2-S3, 23.2R2-S4, 23.4R1-S2, 23.4R2, 23.4R2-S3, 23.4R2-S4, 23.4R2-S5, 24.2R1, 24.2R1-S1, 24.2R1-S2, 24.2R2, 24.2R2-S1, 24.4R1, 24.4R1-S2, 24.4R1-S3, 24.4R2 et 25.2R1",
"product": {
"name": "Junos OS",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-52984",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52984"
},
{
"name": "CVE-2020-10136",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10136"
},
{
"name": "CVE-2024-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23918"
},
{
"name": "CVE-2024-21820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21820"
},
{
"name": "CVE-2025-52950",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52950"
},
{
"name": "CVE-2025-52983",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52983"
},
{
"name": "CVE-2025-52952",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52952"
},
{
"name": "CVE-2025-52963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52963"
},
{
"name": "CVE-2024-3596",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3596"
},
{
"name": "CVE-2025-26466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26466"
},
{
"name": "CVE-2024-23984",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23984"
},
{
"name": "CVE-2025-52986",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52986"
},
{
"name": "CVE-2025-52988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52988"
},
{
"name": "CVE-2025-52949",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52949"
},
{
"name": "CVE-2025-6549",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6549"
},
{
"name": "CVE-2025-52954",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52954"
},
{
"name": "CVE-2024-7595",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7595"
},
{
"name": "CVE-2025-52947",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52947"
},
{
"name": "CVE-2025-52958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52958"
},
{
"name": "CVE-2025-52964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52964"
},
{
"name": "CVE-2025-52946",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52946"
},
{
"name": "CVE-2024-21853",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21853"
},
{
"name": "CVE-2025-52951",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52951"
},
{
"name": "CVE-2025-23019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23019"
},
{
"name": "CVE-2025-52955",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52955"
},
{
"name": "CVE-2025-23018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23018"
},
{
"name": "CVE-2025-52948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52948"
},
{
"name": "CVE-2025-52981",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52981"
},
{
"name": "CVE-2024-24968",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24968"
},
{
"name": "CVE-2025-52953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52953"
},
{
"name": "CVE-2025-52985",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52985"
},
{
"name": "CVE-2025-52989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52989"
},
{
"name": "CVE-2025-52980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52980"
},
{
"name": "CVE-2025-52982",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52982"
},
{
"name": "CVE-2025-30661",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30661"
}
],
"initial_release_date": "2025-07-10T00:00:00",
"last_revision_date": "2025-07-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0583",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-07-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Juniper Networks. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Juniper Networks",
"vendor_advisories": [
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52988",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Privilege-escalation-via-CLI-command-request-system-logout-CVE-2025-52988"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52963",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-A-low-privileged-user-can-disable-an-interface-CVE-2025-52963"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52958",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-When-route-validation-is-enabled-BGP-connection-establishment-failure-causes-RPD-crash-CVE-2025-52958"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52985",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-Evolved-When-a-control-plane-firewall-filter-refers-to-a-prefix-list-with-more-then-10-entries-it-s-not-matching-CVE-2025-52985"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52986",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-When-RIB-sharding-is-configured-each-time-a-show-command-is-executed-RPD-memory-leaks-CVE-2025-52986"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2024-3596",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Vulnerability-in-the-RADIUS-protocol-for-Subscriber-Management-Blast-RADIUS-CVE-2024-3596"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52989",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Annotate-configuration-command-can-be-used-for-privilege-escalation-CVE-2025-52989"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52981",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-SRX-Series-Sequence-of-specific-PIM-packets-causes-a-flowd-crash-CVE-2025-52981"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52983",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-After-removing-ssh-public-key-authentication-root-can-still-log-in-CVE-2025-52983"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52946",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-With-traceoptions-enabled-receipt-of-malformed-AS-PATH-causes-RPD-crash-CVE-2025-52946"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52954",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-Evolved-A-low-privileged-user-can-execute-CLI-commands-and-modify-the-configuration-compromise-the-system-CVE-2025-52954"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52953",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-An-unauthenticated-adjacent-attacker-sending-a-valid-BGP-UPDATE-packet-forces-a-BGP-session-reset-CVE-2025-52953"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52947",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-ACX-Series-When-hot-standby-mode-is-configured-for-an-L2-circuit-interface-flap-causes-the-FEB-to-crash"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52949",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-In-an-EVPN-environment-receipt-of-a-specifically-malformed-BGP-update-causes-RPD-crash-CVE-2025-52949"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks 2025-07-Security-Bulletin-Juniper-Apstra-Multiple-Vulnerabilities-resolved-in-Intel-microcode-package",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Juniper-Apstra-Multiple-Vulnerabilities-resolved-in-Intel-microcode-package"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-26466",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-CTPView-OpenSSH-vulnerability-CVE-2025-26466-resolved-in-9-3R2-release"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52955",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-When-jflow-sflow-is-enabled-receipt-of-specific-route-updates-causes-rpd-crash-CVE-2025-52955"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52952",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-MX-Series-with-MPC-BUILTIN-MPC-1-through-MPC-9-Receipt-and-processing-of-a-malformed-packet-causes-one-or-more-FPCs-to-crash-CVE-2025-52952"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-30661",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-Low-privileged-user-can-cause-script-to-run-as-root-leading-to-privilege-escalation-CVE-2025-30661"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52951",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-IPv6-firewall-filter-fails-to-match-payload-protocol-CVE-2025-52951"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52984",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-When-a-static-route-points-to-an-unreachable-next-hop-and-a-gNMI-query-for-this-route-is-processed-RPD-crashes-CVE-2025-52984"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52948",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-Specific-unknown-traffic-pattern-causes-FPC-and-system-to-crash-when-packet-capturing-is-enabled-CVE-2025-52948"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52964",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Junos-OS-and-Junos-OS-Evolved-Receipt-of-a-specific-BGP-UPDATE-causes-an-rpd-crash-on-devices-with-BGP-multipath-configured-CVE-2025-52964"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52982",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-MX-Series-When-specific-SIP-packets-are-processed-the-MS-MPC-will-crash-CVE-2025-52982"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52950",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Juniper-Security-Director-Insufficient-authorization-for-multiple-endpoints-in-web-interface-CVE-2025-52950"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-52980",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-SRX300-Series-Upon-receiving-a-specific-valid-BGP-UPDATE-message-rpd-will-crash-CVE-2025-52980"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks CVE-2025-6549",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-SRX-Series-J-Web-can-be-exposed-on-additional-interfaces-CVE-2025-6549"
},
{
"published_at": "2025-07-09",
"title": "Bulletin de s\u00e9curit\u00e9 Juniper Networks 2025-07-Security-Bulletin-Junos-OS-Evolved-Multiple-vulnerabilities-resolved-for-Insecure-Implementation-of-Tunneling-Protocols-GRE-IPIP-4in6-6in4-VU-199397",
"url": "https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-Evolved-Multiple-vulnerabilities-resolved-for-Insecure-Implementation-of-Tunneling-Protocols-GRE-IPIP-4in6-6in4-VU-199397"
}
]
}
CVE-2025-26466 (GCVE-0-2025-26466)
Vulnerability from cvelistv5 – Published: 2025-02-28 21:25 – Updated: 2026-02-10 17:13
VLAI
EPSS
Title
Openssh: denial-of-service in openssh
Summary
A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
Severity
5.9 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
15 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2025-26466 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2345043 | issue-trackingx_refsource_REDHAT |
| https://seclists.org/oss-sec/2025/q1/144 | |
| https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt | |
| https://security.netapp.com/advisory/ntap-2025022… | |
| https://www.openwall.com/lists/oss-security/2025/… | |
| https://www.openwall.com/lists/oss-security/2025/… | |
| https://bugzilla.suse.com/show_bug.cgi?id=1237041 | |
| https://security-tracker.debian.org/tracker/CVE-2… | |
| https://ubuntu.com/security/CVE-2025-26466 | |
| http://seclists.org/fulldisclosure/2025/May/8 | |
| http://seclists.org/fulldisclosure/2025/May/7 | |
| http://seclists.org/fulldisclosure/2025/Feb/18 | |
| https://www.vicarius.io/vsociety/posts/cve-2025-2… | |
| https://www.vicarius.io/vsociety/posts/cve-2025-2… |
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
9.5p1 , ≤ 9.9p1
(custom)
|
|||
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public
2025-02-18 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-10T17:13:57.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250228-0002/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1237041"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-26466"
},
{
"url": "https://ubuntu.com/security/CVE-2025-26466"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Feb/18"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26466-detection-script-memory-consumption-vulnerability-in-openssh"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26466-mitigation-script-memory-consumption-vulnerability-in-openssh"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26466",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T19:51:35.555196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T19:51:39.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openssh.com/",
"defaultStatus": "unaffected",
"packageName": "OpenSSH",
"repo": "https://anongit.mindrot.org/openssh.git",
"versions": [
{
"lessThanOrEqual": "9.9p1",
"status": "affected",
"version": "9.5p1",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2025-02-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T23:33:10.047Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-26466"
},
{
"name": "RHBZ#2345043",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345043"
},
{
"url": "https://seclists.org/oss-sec/2025/q1/144"
},
{
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-11T19:51:30.375Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-18T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Openssh: denial-of-service in openssh",
"workarounds": [
{
"lang": "en",
"value": "This issue can be mitigated by setting the following three different options in the sshd configuration file located at: /etc/ssh/sshd_config\n\nMaxStartups: Set to a reasonable value, this option controls the maximum number of concurrent unauthenticated connections the SSH server accepts;\n\nPerSourcePenalties: Set its suboptions to a reasonable value, this option is used to help sshd to detect and drop connections that are potentially malicious for the SSH server;\n\nLoginGraceTime: Set to a resonable value, this option controls how much time the SSH server will wait the client to authenticate before dropping its connection;\n\nAll the three option above needs to be set to implement a full mitigation for this vulnerability."
}
],
"x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-26466",
"datePublished": "2025-02-28T21:25:28.861Z",
"dateReserved": "2025-02-10T18:31:47.979Z",
"dateUpdated": "2026-02-10T17:13:57.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30661 (GCVE-0-2025-30661)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:38 – Updated: 2026-02-26 17:50
VLAI
EPSS
Title
Junos OS: Low-privileged user can cause script to run as root, leading to privilege escalation
Summary
An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation.
A local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system.
This issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C.
This issue affects Junos OS: * from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S5,
* from 24.2 before 24.2R2-S1,
* from 24.4 before 24.4R1-S3, 24.4R2.
This issue does not affect versions prior to 23.1R2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100057 | vendor-advisory |
| https://github.com/orangecertcc/security-research… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
23.2 , < 23.2R2-S4
(semver)
Affected: 23.4 , < 23.4R2-S5 (semver) Affected: 24.2 , < 24.2R2-S1 (semver) Affected: 24.4 , < 24.4R1-S3, 24.4R2 (semver) Unaffected: 0 , < 23.1R2 (semver) |
Date Public
2025-07-09 16:00
Credits
Juniper SIRT would like to acknowledge and thank Pierre EMERIAUD from Orange group & Orange CERT-CC for responsibly reporting this vulnerability.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-12T03:55:13.460051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:46.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.2R2-S4",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3, 24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
},
{
"lessThan": "23.1R2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juniper SIRT would like to acknowledge and thank Pierre EMERIAUD from Orange group \u0026 Orange CERT-CC for responsibly reporting this vulnerability."
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation.\u003cbr\u003e\u003cbr\u003eA local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system.\u003cbr\u003e\u003cbr\u003eThis issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C.\u003cbr\u003e\u003cbr\u003eThis issue affects Junos OS:\u003cul\u003e\u003cli\u003efrom 23.2 before 23.2R2-S4,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S5,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2-S1,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.4 before 24.4R1-S3, 24.4R2.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\n\nThis issue does not affect versions prior to 23.1R2.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation.\n\nA local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system.\n\nThis issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C.\n\nThis issue affects Junos OS: * from 23.2 before 23.2R2-S4,\u00a0\n * from 23.4 before 23.4R2-S5,\u00a0\n * from 24.2 before 24.2R2-S1,\u00a0\n * from 24.4 before 24.4R1-S3, 24.4R2.\n\n\n\n\n\n\nThis issue does not affect versions prior to 23.1R2."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:38:52.289Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100057"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-2p66-9j7x-fmch"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 23.4R2-S4, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases.\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: 23.4R2-S4, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA100057",
"defect": [
"1873056"
],
"discovery": "EXTERNAL"
},
"title": "Junos OS: Low-privileged user can cause script to run as root, leading to privilege escalation",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(255, 255, 255, 0.85);\"\u003eUse access lists or firewall filters to limit access to the device via CLI only from trusted hosts and administrators.\u003c/span\u003e"
}
],
"value": "Use access lists or firewall filters to limit access to the device via CLI only from trusted hosts and administrators."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-30661",
"datePublished": "2025-07-11T14:38:52.289Z",
"dateReserved": "2025-03-24T19:34:11.323Z",
"dateUpdated": "2026-02-26T17:50:46.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52946 (GCVE-0-2025-52946)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:39 – Updated: 2025-07-11 15:25
VLAI
EPSS
Title
Junos OS and Junos OS Evolved: With traceoptions enabled, receipt of malformed AS PATH causes RPD crash
Summary
A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition.
On all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled.
This issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue.
This issue affects:
Junos OS:
* All versions before 21.2R3-S9,
* all versions of 21.4,
* from 22.2 before 22.2R3-S6,
* from 22.4 before 22.4R3-S5,
* from 23.2 before 23.2R2-S3,
* from 23.4 before 23.4R2-S4,
* from 24.2 before 24.2R2;
Junos OS Evolved:
* All versions before 22.4R3-S5-EVO,
* from 23.2-EVO before 23.2R2-S3-EVO,
* from 23.4-EVO before 23.4R2-S4-EVO,
* from 24.2-EVO before 24.2R2-EVO.
This is a more complete fix for previously published CVE-2024-39549 (JSA83011).
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100050 | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.2R3-S9
(semver)
Affected: 21.4 , < * (sem) Affected: 22.2 , < 22.2R3-S6 (semver) Affected: 22.4 , < 22.4R3-S5 (semver) Affected: 23.2 , < 23.2R2-S3 (semver) Affected: 23.4 , < 23.4R2-S4 (semver) Affected: 24.2 , < 24.2R2 (semver) |
|
| Juniper Networks | Junos OS Evolved |
Affected:
0 , < 22.4R3-S5-EVO
(semver)
Affected: 23.2-EVO , < 23.2R2-S3-EVO (semver) Affected: 23.4-EVO , < 23.4R2-S4-EVO (semver) Affected: 24.2-EVO , < 24.2R2-EVO (semver) |
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T15:25:22.848492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:25:30.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.2R3-S9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "affected",
"version": "21.4",
"versionType": "sem"
},
{
"lessThan": "22.2R3-S6",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S5",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S3",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2",
"status": "affected",
"version": "24.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.4R3-S5-EVO",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S3-EVO",
"status": "affected",
"version": "23.2-EVO",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4-EVO",
"status": "affected",
"version": "23.4-EVO",
"versionType": "semver"
},
{
"lessThan": "24.2R2-EVO",
"status": "affected",
"version": "24.2-EVO",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One of the following traceoptions configurations, either at the top level, under [logical-systems], or [routing-instances], is required to be potentially exposed to this issue:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[protocols bgp traceoptions]\u003cbr\u003e[protocols bgp group \u0026lt;group-name\u0026gt; traceoptions]\u003cbr\u003e[protocols bgp group \u0026lt;group-name\u0026gt; neighbor \u0026lt;address\u0026gt; traceoptions]\u003c/tt\u003e\n\n\u003cbr\u003e"
}
],
"value": "One of the following traceoptions configurations, either at the top level, under [logical-systems], or [routing-instances], is required to be potentially exposed to this issue:\n\n[protocols bgp traceoptions]\n[protocols bgp group \u003cgroup-name\u003e traceoptions]\n[protocols bgp group \u003cgroup-name\u003e neighbor \u003caddress\u003e traceoptions]"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition.\u003cbr\u003e\u003cbr\u003eOn all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled.\u003c/p\u003e\u003cp\u003eThis issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003e\u0026nbsp;Junos OS:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 21.2R3-S9,\u0026nbsp;\u003c/li\u003e\u003cli\u003eall versions of 21.4,\u003c/li\u003e\u003cli\u003efrom 22.2 before 22.2R3-S6,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3-S5,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-S3,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S4,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eJunos OS Evolved:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 22.4R3-S5-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2-EVO before 23.2R2-S3-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4-EVO before 23.4R2-S4-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2-EVO before 24.2R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\n\n\u003cbr\u003eThis is a more complete fix for previously published CVE-2024-39549 (JSA83011).\u003cbr\u003e"
}
],
"value": "A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition.\n\nOn all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled.\n\nThis issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue.\n\n\n\nThis issue affects:\n\n\u00a0Junos OS:\n\n\n\n * All versions before 21.2R3-S9,\u00a0\n * all versions of 21.4,\n * from 22.2 before 22.2R3-S6,\u00a0\n * from 22.4 before 22.4R3-S5,\u00a0\n * from 23.2 before 23.2R2-S3,\u00a0\n * from 23.4 before 23.4R2-S4,\u00a0\n * from 24.2 before 24.2R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n * All versions before 22.4R3-S5-EVO,\u00a0\n * from 23.2-EVO before 23.2R2-S3-EVO,\u00a0\n * from 23.4-EVO before 23.4R2-S4-EVO,\u00a0\n * from 24.2-EVO before 24.2R2-EVO.\n\n\n\n\n\n\n\nThis is a more complete fix for previously published CVE-2024-39549 (JSA83011)."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:39:59.014Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100050"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: \u003cbr\u003eJunos OS 21.2R3-S9, 22.2R3-S6, 22.4R3-S5, 23.2R2-S3, 23.4R2-S4, 24.2R2, 24.4R1, and all subsequent releases.\u003cbr\u003eJunos OS Evolved: 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: \nJunos OS 21.2R3-S9, 22.2R3-S6, 22.4R3-S5, 23.2R2-S3, 23.4R2-S4, 24.2R2, 24.4R1, and all subsequent releases.\nJunos OS Evolved: 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases."
}
],
"source": {
"advisory": "JSA100050",
"defect": [
"1810622"
],
"discovery": "USER"
},
"title": "Junos OS and Junos OS Evolved: With traceoptions enabled, receipt of malformed AS PATH causes RPD crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Disable BGP traceoptions if they are not being used for active troubleshooting."
}
],
"value": "Disable BGP traceoptions if they are not being used for active troubleshooting."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52946",
"datePublished": "2025-07-11T14:39:59.014Z",
"dateReserved": "2025-06-23T13:16:01.408Z",
"dateUpdated": "2025-07-11T15:25:30.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52947 (GCVE-0-2025-52947)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:40 – Updated: 2025-07-11 15:25
VLAI
EPSS
Title
Junos OS: ACX Series: When 'hot-standby' mode is configured for an L2 circuit, interface flap causes the FEB to crash
Summary
An Improper Handling of Exceptional Conditions vulnerability in route processing of Juniper Networks Junos OS on specific end-of-life (EOL) ACX Series platforms allows an attacker to crash the Forwarding Engine Board (FEB) by flapping an interface, leading to a Denial of Service (DoS).
On ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096 devices, FEB0 will crash when the primary path port of the L2 circuit IGP (Interior Gateway Protocol) on the local device goes down. This issue is seen only when 'hot-standby' mode is configured for the L2 circuit.
This issue affects Junos OS on ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096:
* all versions before 21.2R3-S9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100051 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.2R3-S9
(semver)
|
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T15:25:03.681598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:25:08.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"ACX1000",
"ACX1100",
"ACX2000",
"ACX2100",
"ACX2200",
"ACX4000",
"ACX5048",
"ACX5096"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.2R3-S9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue only occurs when an L2 circuit is configured for hot-standby.\u0026nbsp; For example:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[protocols l2circuit neighbor x.x.x.x interface \u0026lt;intf\u0026gt; backup-neighbor x.x.x.x hot-standby]\u003c/tt\u003e"
}
],
"value": "This issue only occurs when an L2 circuit is configured for hot-standby.\u00a0 For example:\n\n[protocols l2circuit neighbor x.x.x.x interface \u003cintf\u003e backup-neighbor x.x.x.x hot-standby]"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Handling of Exceptional Conditions vulnerability in route processing of Juniper Networks Junos OS on specific end-of-life (EOL) ACX Series platforms allows an attacker to crash the Forwarding Engine Board (FEB) by flapping an interface, leading to a Denial of Service (DoS).\u003cbr\u003e\u003cbr\u003eOn\u0026nbsp;ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096 devices, FEB0 will crash when the primary path port of the L2 circuit IGP (Interior Gateway Protocol) on the local device goes down. This issue is seen only when \u0027hot-standby\u0027 mode is configured for the L2 circuit.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS on ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 21.2R3-S9.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "An Improper Handling of Exceptional Conditions vulnerability in route processing of Juniper Networks Junos OS on specific end-of-life (EOL) ACX Series platforms allows an attacker to crash the Forwarding Engine Board (FEB) by flapping an interface, leading to a Denial of Service (DoS).\n\nOn\u00a0ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096 devices, FEB0 will crash when the primary path port of the L2 circuit IGP (Interior Gateway Protocol) on the local device goes down. This issue is seen only when \u0027hot-standby\u0027 mode is configured for the L2 circuit.\n\nThis issue affects Junos OS on ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096:\u00a0\n\n\n\n * all versions before 21.2R3-S9."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/R:A/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:40:14.792Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100051"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 21.2R3-S9.\u003cbr\u003e\u003cbr\u003eNote: Support for the ACX2k Series ended with Junos OS 21.2."
}
],
"value": "The following software releases have been updated to resolve this specific issue: 21.2R3-S9.\n\nNote: Support for the ACX2k Series ended with Junos OS 21.2."
}
],
"source": {
"advisory": "JSA100051",
"defect": [
"1840825"
],
"discovery": "USER"
},
"title": "Junos OS: ACX Series: When \u0027hot-standby\u0027 mode is configured for an L2 circuit, interface flap causes the FEB to crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52947",
"datePublished": "2025-07-11T14:40:14.792Z",
"dateReserved": "2025-06-23T13:16:01.408Z",
"dateUpdated": "2025-07-11T15:25:08.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52948 (GCVE-0-2025-52948)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:40 – Updated: 2025-07-23 14:57
VLAI
EPSS
Title
Junos OS: Specific unknown traffic pattern causes FPC and system to crash when packet capturing is enabled
Summary
An Improper Handling of Exceptional Conditions vulnerability in Berkeley Packet Filter (BPF) processing of Juniper Networks Junos OS allows an attacker, in rare cases, sending specific, unknown traffic patterns to cause the FPC and system to crash and restart.
BPF provides a raw interface to data link layers in a protocol independent fashion. Internally within the Junos kernel, due to a rare timing issue (race condition), when a BPF instance is cloned, the newly created interface causes an internal structure leakage, leading to a system crash. The precise content and timing of the traffic patterns is indeterminate, but has been seen in a lab environment multiple times.
This issue is more likely to occur when packet capturing is enabled. See required configuration below.
This issue affects Junos OS:
* all versions before 21.2R3-S9,
* from 21.4 before 21.4R3-S10,
* from 22.2 before 22.2R3-S6,
* from 22.4 before 22.4R3-S7,
* from 23.2 before 23.2R2-S3,
* from 23.4 before 23.4R2-S3,
* from 24.2 before 24.2R1-S1, 24.2R2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100052 | vendor-advisory |
| https://www.juniper.net/documentation/us/en/softw… | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.2R3-S9
(semver)
Affected: 21.4 , < 21.4R3-S10 (semver) Affected: 22.2 , < 22.2R3-S6 (semver) Affected: 22.4 , < 22.4R3-S7 (semver) Affected: 23.2 , < 23.2R2-S3 (semver) Affected: 23.4 , < 23.4R2-S3 (semver) Affected: 24.2 , < 24.2R1-S1, 24.2R2 (semver) |
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T15:06:42.389399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:06:47.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.2R3-S9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "21.4R3-S10",
"status": "affected",
"version": "21.4",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S6",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S3",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S3",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R1-S1, 24.2R2",
"status": "affected",
"version": "24.2",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "BPF is used by applications such as \u0027tcpdump\u0027, enabled in Junos via packet-capture sampling:\u003cbr\u003e\u003cbr\u003e\n\n\u003ctt\u003e[forwarding-options\u0026nbsp;packet-capture file ...]\u003cbr\u003e\u003cbr\u003e[firewall filter \u0026lt;name\u0026gt; term \u0026lt;name\u0026gt; then sample]\u003cbr\u003e\u003cbr\u003e[interfaces \u0026lt;interface\u0026gt; unit \u0026lt;n\u0026gt; family inet filter input \u0026lt;name\u0026gt;]\u003cbr\u003e\n\n[interfaces \u0026lt;interface\u0026gt; unit \u0026lt;n\u0026gt; family inet filter output \u0026lt;name\u0026gt;]\u003cbr\u003e\u003cbr\u003e\u003c/tt\u003eor via the \u0027monitor traffic\u0027 command. For example:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003euser@junos\u0026gt; monitor traffic interface \u0026lt;name\u0026gt;\u003c/tt\u003e"
}
],
"value": "BPF is used by applications such as \u0027tcpdump\u0027, enabled in Junos via packet-capture sampling:\n\n\n\n[forwarding-options\u00a0packet-capture file ...]\n\n[firewall filter \u003cname\u003e term \u003cname\u003e then sample]\n\n[interfaces \u003cinterface\u003e unit \u003cn\u003e family inet filter input \u003cname\u003e]\n\n\n[interfaces \u003cinterface\u003e unit \u003cn\u003e family inet filter output \u003cname\u003e]\n\nor via the \u0027monitor traffic\u0027 command. For example:\n\nuser@junos\u003e monitor traffic interface \u003cname\u003e"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Handling of Exceptional Conditions vulnerability in Berkeley Packet Filter (BPF) processing of Juniper Networks Junos OS allows an attacker, in rare cases, sending specific, unknown traffic patterns to cause the FPC and system to crash and restart.\u003cbr\u003e\u003cbr\u003eBPF provides a raw interface to data link layers in a protocol independent fashion. Internally within the Junos kernel, due to a rare timing issue (race condition), when a BPF instance is cloned, the newly created interface causes an internal structure leakage, leading to a system crash. The precise content and timing of the traffic patterns is indeterminate, but has been seen in a lab environment multiple times.\u003cbr\u003e\u003cbr\u003eThis issue is more likely to occur when packet capturing is enabled.\u0026nbsp; See required configuration below.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 21.2R3-S9,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 21.4 before 21.4R3-S10,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.2 before 22.2R3-S6,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3-S7,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-S3,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S3,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R1-S1, 24.2R2.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "An Improper Handling of Exceptional Conditions vulnerability in Berkeley Packet Filter (BPF) processing of Juniper Networks Junos OS allows an attacker, in rare cases, sending specific, unknown traffic patterns to cause the FPC and system to crash and restart.\n\nBPF provides a raw interface to data link layers in a protocol independent fashion. Internally within the Junos kernel, due to a rare timing issue (race condition), when a BPF instance is cloned, the newly created interface causes an internal structure leakage, leading to a system crash. The precise content and timing of the traffic patterns is indeterminate, but has been seen in a lab environment multiple times.\n\nThis issue is more likely to occur when packet capturing is enabled.\u00a0 See required configuration below.\n\nThis issue affects Junos OS:\u00a0\n\n\n\n * all versions before 21.2R3-S9,\u00a0\n * from 21.4 before 21.4R3-S10,\u00a0\n * from 22.2 before 22.2R3-S6,\u00a0\n * from 22.4 before 22.4R3-S7,\u00a0\n * from 23.2 before 23.2R2-S3,\u00a0\n * from 23.4 before 23.4R2-S3,\u00a0\n * from 24.2 before 24.2R1-S1, 24.2R2."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T14:57:37.021Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100052"
},
{
"tags": [
"technical-description"
],
"url": "https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/analyze-network-traffic-by-using-packet-capture.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S7, 23.2R2-S3, 23.4R2-S3, 24.2R1-S1, 24.2R2, 24.4R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S7, 23.2R2-S3, 23.4R2-S3, 24.2R1-S1, 24.2R2, 24.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA100052",
"defect": [
"1819102"
],
"discovery": "INTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-07-09T16:00:00.000Z",
"value": "Initial Publication"
},
{
"lang": "en",
"time": "2025-07-18T16:00:00.000Z",
"value": "Corrected vulnerable \u0027monitor\u0027 command from \u0027monitor interface\u0027 to \u0027monitor traffic\u0027"
},
{
"lang": "en",
"time": "2025-07-23T16:00:00.000Z",
"value": "Added workaround of avoiding the execution of the \u0027monitor traffic\u0027 command"
}
],
"title": "Junos OS: Specific unknown traffic pattern causes FPC and system to crash when packet capturing is enabled",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Avoid execution of the \u0027monitor traffic interface\u0027 command on production systems."
}
],
"value": "Avoid execution of the \u0027monitor traffic interface\u0027 command on production systems."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52948",
"datePublished": "2025-07-11T14:40:31.197Z",
"dateReserved": "2025-06-23T13:16:01.408Z",
"dateUpdated": "2025-07-23T14:57:37.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52949 (GCVE-0-2025-52949)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:40 – Updated: 2025-07-11 15:05
VLAI
EPSS
Title
Junos OS and Junos OS Evolved: In an EVPN environment, receipt of specifically malformed BGP update causes RPD crash
Summary
An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.
Only systems configured for Ethernet Virtual Private Networking (EVPN) signaling are vulnerable to this issue.
This issue affects iBGP and eBGP, and both IPv4 and IPv6 are affected by this vulnerability.This issue affects:
Junos OS:
* all versions before 21.4R3-S11,
* from 22.2 before 22.2R3-S7,
* from 22.4 before 22.4R3-S7,
* from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S5,
* from 24.2 before 24.2R2-S1,
* from 24.4 before 24.4R1-S3, 24.4R2;
Junos OS Evolved:
* all versions before 22.2R3-S7-EVO,
* from 22.4-EVO before 22.4R3-S7-EVO,
* from 23.2-EVO before 23.2R2-S4-EVO,
* from 23.4-EVO before 23.4R2-S5-EVO,
* from 24.2-EVO before 24.2R2-S1-EVO,
* from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100053 | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.4R3-S11
(semver)
Affected: 22.2 , < 22.2R3-S7 (semver) Affected: 22.4 , < 22.4R3-S7 (semver) Affected: 23.2 , < 23.2R2-S4 (semver) Affected: 23.4 , < 23.4R2-S5 (semver) Affected: 24.2 , < 24.2R2-S1 (semver) Affected: 24.4 , < 24.4R1-S3, 24.4R2 (semver) |
|
| Juniper Networks | Junos OS Evolved |
Affected:
0 , < 22.2R3-S7-EVO
(semver)
Affected: 22.4-EVO , < 22.4R3-S7-EVO (semver) Affected: 23.2-EVO , < 23.2R2-S4-EVO (semver) Affected: 23.4-EVO , < 23.4R2-S5-EVO (semver) Affected: 24.2-EVO , < 24.2R2-S1-EVO (semver) Affected: 24.4-EVO , < 24.4R1-S3-EVO, 24.4R2-EVO (semver) |
Date Public
2025-07-09 16:00
Credits
Juniper SIRT would like to acknowledge and thank Craig Dods from Meta’s Infrastructure Security Engineering team for responsibly reporting this vulnerability.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T15:05:51.634973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:05:58.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.4R3-S11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S7",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3, 24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.2R3-S7-EVO",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7-EVO",
"status": "affected",
"version": "22.4-EVO",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4-EVO",
"status": "affected",
"version": "23.2-EVO",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5-EVO",
"status": "affected",
"version": "23.4-EVO",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1-EVO",
"status": "affected",
"version": "24.2-EVO",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3-EVO, 24.4R2-EVO",
"status": "affected",
"version": "24.4-EVO",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue only affects systems configured for EVPN signaling.\u0026nbsp; For example:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[protocols bgp family evpn signaling]\u003c/tt\u003e"
}
],
"value": "This issue only affects systems configured for EVPN signaling.\u00a0 For example:\n\n[protocols bgp family evpn signaling]"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juniper SIRT would like to acknowledge and thank Craig Dods from Meta\u2019s Infrastructure Security Engineering team for responsibly reporting this vulnerability."
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\u003cbr\u003e\u003cbr\u003eOnly systems configured for Ethernet Virtual Private Networking (EVPN) signaling are vulnerable to this issue.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eThis issue affects iBGP and eBGP, and both IPv4 and IPv6 are affected by this vulnerability.\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003eJunos OS:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 21.4R3-S11,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.2 before 22.2R3-S7,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3-S7,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-S4,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S5,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2-S1,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.4 before 24.4R1-S3, 24.4R2;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eJunos OS Evolved:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 22.2R3-S7-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4-EVO before 22.4R3-S7-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2-EVO before 23.2R2-S4-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4-EVO before 23.4R2-S5-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2-EVO before 24.2R2-S1-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\nOnly systems configured for Ethernet Virtual Private Networking (EVPN) signaling are vulnerable to this issue.\u00a0\n\nThis issue affects iBGP and eBGP, and both IPv4 and IPv6 are affected by this vulnerability.This issue affects:\n\nJunos OS:\u00a0\n\n\n\n * all versions before 21.4R3-S11,\u00a0\n * from 22.2 before 22.2R3-S7,\u00a0\n * from 22.4 before 22.4R3-S7,\u00a0\n * from 23.2 before 23.2R2-S4,\u00a0\n * from 23.4 before 23.4R2-S5,\u00a0\n * from 24.2 before 24.2R2-S1,\u00a0\n * from 24.4 before 24.4R1-S3, 24.4R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n * all versions before 22.2R3-S7-EVO,\u00a0\n * from 22.4-EVO before 22.4R3-S7-EVO,\u00a0\n * from 23.2-EVO before 23.2R2-S4-EVO,\u00a0\n * from 23.4-EVO before 23.4R2-S5-EVO,\u00a0\n * from 24.2-EVO before 24.2R2-S1-EVO,\u00a0\n * from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:40:41.658Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100053"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: \u003cbr\u003e\u003cbr\u003eJunos OS: 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases.\u003cbr\u003eJunos OS Evolved: 22.2R3-S7-EVO, 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases.\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: \n\nJunos OS: 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases.\nJunos OS Evolved: 22.2R3-S7-EVO, 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases."
}
],
"source": {
"advisory": "JSA100053",
"defect": [
"1863170"
],
"discovery": "EXTERNAL"
},
"title": "Junos OS and Junos OS Evolved: In an EVPN environment, receipt of specifically malformed BGP update causes RPD crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52949",
"datePublished": "2025-07-11T14:40:41.658Z",
"dateReserved": "2025-06-23T13:16:01.408Z",
"dateUpdated": "2025-07-11T15:05:58.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52950 (GCVE-0-2025-52950)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:40 – Updated: 2026-02-26 17:50
VLAI
EPSS
Title
Juniper Security Director: Insufficient authorization for multiple endpoints in web interface
Summary
A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface.
Numerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level. An attacker can access data that is outside the user's authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices.
This issue affects Security Director version 24.4.1.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100054 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Juniper Security Director |
Affected:
24.4.1
(semver)
|
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-12T03:55:12.582141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:45.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Juniper Security Director",
"vendor": "Juniper Networks",
"versions": [
{
"status": "affected",
"version": "24.4.1",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A\u0026nbsp;Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface.\u003cbr\u003e\u003cbr\u003eNumerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level.\u0026nbsp;An attacker can access data that is outside the user\u0027s authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices.\u003cbr\u003e\u003cbr\u003e\n\nThis issue affects Security Director version 24.4.1."
}
],
"value": "A\u00a0Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface.\n\nNumerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level.\u00a0An attacker can access data that is outside the user\u0027s authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices.\n\n\n\nThis issue affects Security Director version 24.4.1."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:40:49.980Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100054"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: Juniper Security Director Software Bundle Update 24.4.1-1703, and all subsequent releases\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: Juniper Security Director Software Bundle Update 24.4.1-1703, and all subsequent releases"
}
],
"source": {
"advisory": "JSA100054",
"defect": [
"SB-14875",
"SB-15264",
"SB-15265",
"SB-15266",
"SB-15267",
"SB-15268",
"SB-15269"
],
"discovery": "INTERNAL"
},
"title": "Juniper Security Director: Insufficient authorization for multiple endpoints in web interface",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use access lists or firewall filters to limit access to the web interface only from trusted hosts.\u003cbr\u003e"
}
],
"value": "Use access lists or firewall filters to limit access to the web interface only from trusted hosts."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52950",
"datePublished": "2025-07-11T14:40:49.980Z",
"dateReserved": "2025-06-23T13:16:01.409Z",
"dateUpdated": "2026-02-26T17:50:45.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52951 (GCVE-0-2025-52951)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:41 – Updated: 2025-07-15 14:35
VLAI
EPSS
Title
Junos OS: IPv6 firewall filter fails to match payload-protocol
Summary
A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic destined to the device to effectively bypass any firewall filtering configured on the interface.
Due to an issue with Junos OS kernel filter processing, the 'payload-protocol' match is not being supported, causing any term containing it to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an 'accept' for all traffic on the interface destined for the control plane, even when used in combination with other match criteria.
This issue only affects firewall filters protecting the device's control plane. Transit firewall filtering is unaffected by this vulnerability.
This issue affects Junos OS:
* all versions before 21.2R3-S9,
* from 21.4 before 21.4R3-S11,
* from 22.2 before 22.2R3-S7,
* from 22.4 before 22.4R3-S7,
* from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S5,
* from 24.2 before 24.2R2-S1,
* from 24.4 before 24.4R1-S2, 24.4R2.
This is a more complete fix for previously published CVE-2024-21607 (JSA75748).
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100055 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.2R3-S9
(semver)
Affected: 21.4 , < 21.4R3-S11 (semver) Affected: 22.2 , < 22.2R3-S7 (semver) Affected: 22.4 , < 22.4R3-S7 (semver) Affected: 23.2 , < 23.2R2-S4 (semver) Affected: 23.4 , < 23.4R2-S5 (semver) Affected: 24.2 , < 24.2R2-S1 (semver) Affected: 24.4 , < 24.4R1-S2, 24.4R2 (semver) |
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T14:56:28.100417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:56:33.215Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.2R3-S9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "21.4R3-S11",
"status": "affected",
"version": "21.4",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S7",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S2, 24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following firewall filter configuration, using payload-protocol, will fail to match, allowing traffic to be accepted, rather than discarded:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[firewall family inet6 filter example-filter term reject-tcp from payload-protocol tcp]\u003cbr\u003e[firewall family inet6 filter example-filter term reject-tcp then discard]\u003cbr\u003e[firewall family inet6 filter example-filter term allow-rest then accept]\u003c/tt\u003e"
}
],
"value": "The following firewall filter configuration, using payload-protocol, will fail to match, allowing traffic to be accepted, rather than discarded:\n\n[firewall family inet6 filter example-filter term reject-tcp from payload-protocol tcp]\n[firewall family inet6 filter example-filter term reject-tcp then discard]\n[firewall family inet6 filter example-filter term allow-rest then accept]"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic destined to the device to effectively bypass any firewall filtering configured on the interface.\u003cbr\u003e\u003cbr\u003eDue to an issue with Junos OS kernel filter processing, the \u0027payload-protocol\u0027 match is not being supported, causing any term containing it\u0026nbsp;to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an \u0027accept\u0027 for all traffic on the interface destined for the control plane, even when used in combination with other match criteria.\u003cbr\u003e\u003cbr\u003eThis issue only affects firewall filters protecting the device\u0027s control plane. Transit firewall filtering is unaffected by this vulnerability.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 21.2R3-S9,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 21.4 before 21.4R3-S11,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.2 before 22.2R3-S7,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3-S7,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-S4,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S5,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2-S1,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.4 before 24.4R1-S2, 24.4R2.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003eThis is a more complete fix for previously published\u0026nbsp;CVE-2024-21607 (JSA75748).\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic destined to the device to effectively bypass any firewall filtering configured on the interface.\n\nDue to an issue with Junos OS kernel filter processing, the \u0027payload-protocol\u0027 match is not being supported, causing any term containing it\u00a0to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an \u0027accept\u0027 for all traffic on the interface destined for the control plane, even when used in combination with other match criteria.\n\nThis issue only affects firewall filters protecting the device\u0027s control plane. Transit firewall filtering is unaffected by this vulnerability.\n\nThis issue affects Junos OS:\u00a0\n\n\n\n * all versions before 21.2R3-S9,\u00a0\n * from 21.4 before 21.4R3-S11,\u00a0\n * from 22.2 before 22.2R3-S7,\u00a0\n * from 22.4 before 22.4R3-S7,\u00a0\n * from 23.2 before 23.2R2-S4,\u00a0\n * from 23.4 before 23.4R2-S5,\u00a0\n * from 24.2 before 24.2R2-S1,\u00a0\n * from 24.4 before 24.4R1-S2, 24.4R2.\n\n\n\nThis is a more complete fix for previously published\u00a0CVE-2024-21607 (JSA75748)."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/AU:Y/R:U/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T14:35:11.059Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100055"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S2, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S2, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA100055",
"defect": [
"1844796"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2025-07-09T16:00:00.000Z",
"value": "Initial Publication"
},
{
"lang": "en",
"time": "2025-07-15T16:00:00.000Z",
"value": "Clarified that only traffic destined to the control plane is affected"
}
],
"title": "Junos OS: IPv6 firewall filter fails to match payload-protocol",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Utilize \u0027next-header\u0027 match instead of \u0027payload-protocol\u0027 in any firewall filter configurations."
}
],
"value": "Utilize \u0027next-header\u0027 match instead of \u0027payload-protocol\u0027 in any firewall filter configurations."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52951",
"datePublished": "2025-07-11T14:41:03.752Z",
"dateReserved": "2025-06-23T13:16:01.409Z",
"dateUpdated": "2025-07-15T14:35:11.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52952 (GCVE-0-2025-52952)
Vulnerability from cvelistv5 – Published: 2025-07-11 15:04 – Updated: 2025-07-11 20:10
VLAI
EPSS
Title
Junos OS: MX Series with MPC-BUILTIN, MPC 1 through MPC 9: Receipt and processing of a malformed packet causes one or more FPCs to crash
Summary
An Out-of-bounds Write vulnerability in the connectivity fault management (CFM) daemon of Juniper Networks Junos OS on MX Series with MPC-BUILTIN, MPC1 through MPC9 line cards allows an unauthenticated adjacent attacker to send a malformed packet to the device, leading to an FPC crash and restart, resulting in a Denial of Service (DoS).
Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.
This issue affects Juniper Networks:
Junos OS:
* All versions before 22.2R3-S1,
* from 22.4 before 22.4R2.
This feature is not enabled by default.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100058 | vendor-advisory |
| https://www.juniper.net/documentation/us/en/softw… | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 22.2R3-S1
(semver)
Affected: 22.4 , < 22.4R2 (semver) |
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T20:10:43.269996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T20:10:52.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"pfe ukern",
"cfmman",
"cfmd"
],
"platforms": [
"MX Series with MPC-BUILTIN",
"MPC1 through MPC9"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.2R3-S1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "22.4R2",
"status": "affected",
"version": "22.4",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following minimal configuration is necessary to be present to be potentially exposed to this issue:\u0026nbsp;\u003cbr\u003e\u003ctt\u003e\u0026nbsp; [protocols oam ethernet connectivity-fault-management enhanced-cfm-mode]\u003c/tt\u003e\u003cbr\u003e"
}
],
"value": "The following minimal configuration is necessary to be present to be potentially exposed to this issue:\u00a0\n\u00a0 [protocols oam ethernet connectivity-fault-management enhanced-cfm-mode]"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn Out-of-bounds Write vulnerability in the connectivity fault management (CFM) daemon of Juniper Networks Junos OS on MX Series with MPC-BUILTIN, MPC1 through MPC9 line cards allows an unauthenticated adjacent attacker to send a malformed packet to the device,\u0026nbsp;leading to an FPC crash and restart, resulting in a Denial of Service (DoS).\u003c/p\u003e\u003cp\u003eContinued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\u003c/p\u003eThis issue affects Juniper Networks:\u003cbr\u003eJunos OS:\u003cbr\u003e\u003cul\u003e\u003cli\u003eAll versions before 22.2R3-S1,\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R2.\u003c/li\u003e\u003c/ul\u003eThis feature is not enabled by default.\u003cbr\u003e"
}
],
"value": "An Out-of-bounds Write vulnerability in the connectivity fault management (CFM) daemon of Juniper Networks Junos OS on MX Series with MPC-BUILTIN, MPC1 through MPC9 line cards allows an unauthenticated adjacent attacker to send a malformed packet to the device,\u00a0leading to an FPC crash and restart, resulting in a Denial of Service (DoS).\n\nContinued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\nThis issue affects Juniper Networks:\nJunos OS:\n * All versions before 22.2R3-S1,\n * from 22.4 before 22.4R2.\n\n\nThis feature is not enabled by default."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:04:35.691Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100058"
},
{
"tags": [
"technical-description"
],
"url": "https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/cfm-configuring.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve these issues:\u003cbr\u003eJunos OS: 22.2R3-S1, 22.4R2,\u0026nbsp;23.2R1, and all subsequent releases.\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve these issues:\nJunos OS: 22.2R3-S1, 22.4R2,\u00a023.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA100058",
"defect": [
"1726141"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2025-07-09T16:00:00.000Z",
"value": "Initial Publication"
}
],
"title": "Junos OS: MX Series with MPC-BUILTIN, MPC 1 through MPC 9: Receipt and processing of a malformed packet causes one or more FPCs to crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52952",
"datePublished": "2025-07-11T15:04:35.691Z",
"dateReserved": "2025-06-23T13:16:01.409Z",
"dateUpdated": "2025-07-11T20:10:52.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52953 (GCVE-0-2025-52953)
Vulnerability from cvelistv5 – Published: 2025-07-11 15:04 – Updated: 2025-07-11 20:11
VLAI
EPSS
Title
Junos OS and Junos OS Evolved: An unauthenticated adjacent attacker sending a valid BGP UPDATE packet forces a BGP session reset
Summary
An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS).
Continuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.
This issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.
This issue affects Junos OS:
* All versions before 21.2R3-S9,
* from 21.4 before 21.4R3-S11,
* from 22.2 before 22.2R3-S7,
* from 22.4 before 22.4R3-S7,
* from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S4,
* from 24.2 before 24.2R2,
* from 24.4 before 24.4R1-S3, 24.4R2
Junos OS Evolved:
* All versions before 22.2R3-S7-EVO,
* from 22.4-EVO before 22.4R3-S7-EVO,
* from 23.2-EVO before 23.2R2-S4-EVO,
* from 23.4-EVO before 23.4R2-S4-EVO,
* from 24.2-EVO before 24.2R2-EVO,
* from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100059 | vendor-advisory |
| https://www.juniper.net/documentation/us/en/softw… | technical-description |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.2R3-S9
(semver)
Affected: 21.4 , < 21.4R3-S11 (semver) Affected: 22.2 , < 22.2R3-S7 (semver) Affected: 22.4 , < 22.4R3-S7 (semver) Affected: 23.2 , < 23.2R2-S4 (semver) Affected: 23.4 , < 23.4R2-S4 (semver) Affected: 24.2 , < 24.2R2 (semver) Affected: 24.4 , < 24.4R1-S3, 24.4R2 (semver) |
|
| Juniper Networks | Junos OS Evolved |
Affected:
0 , < 22.2R3-S7-EVO
(semver)
Affected: 22.4-EVO , < 22.4R3-S7-EVO (semver) Affected: 23.2-EVO , < 23.2R2-S4-EVO (semver) Affected: 23.4-EVO , < 23.4R2-S4-EVO (semver) Affected: 24.2-EVO , < 24.2R2-EVO (semver) Affected: 24.4-EVO , < 24.4R1-S3-EVO, 24.4R2-EVO (semver) |
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T20:11:16.564518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T20:11:26.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"bgp"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.2R3-S9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "21.4R3-S11",
"status": "affected",
"version": "21.4",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S7",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3, 24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"bgp"
],
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.2R3-S7-EVO",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7-EVO",
"status": "affected",
"version": "22.4-EVO",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4-EVO",
"status": "affected",
"version": "23.2-EVO",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4-EVO",
"status": "affected",
"version": "23.4-EVO",
"versionType": "semver"
},
{
"lessThan": "24.2R2-EVO",
"status": "affected",
"version": "24.2-EVO",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3-EVO, 24.4R2-EVO",
"status": "affected",
"version": "24.4-EVO",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One of the following minimal configurations is necessary to be exposed to this issue:\u003cbr\u003e\u003ctt\u003e\u0026nbsp; [protocols bgp group \u0026lt;group-name\u0026gt; neighbor \u003cspan style=\"background-color: rgba(245, 248, 255, 0.5);\"\u003e\u0026lt;peer-ip-address\u0026gt;\u003c/span\u003e\u0026nbsp;family inet6-vpn unicast]\u003cbr\u003e\u003c/tt\u003eor\u003cbr\u003e\u003ctt\u003e\u0026nbsp; [protocols bgp group \u0026lt;group-name\u0026gt; family inet6-vpn unicast]\u003cbr\u003eor\u003cbr\u003e\u003c/tt\u003e\u003ctt\u003e\u0026nbsp; [protocols bgp family inet6-vpn unicast]\u003c/tt\u003e"
}
],
"value": "One of the following minimal configurations is necessary to be exposed to this issue:\n\u00a0 [protocols bgp group \u003cgroup-name\u003e neighbor \u003cpeer-ip-address\u003e\u00a0family inet6-vpn unicast]\nor\n\u00a0 [protocols bgp group \u003cgroup-name\u003e family inet6-vpn unicast]\nor\n\u00a0 [protocols bgp family inet6-vpn unicast]"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Expected Behavior Violation\u0026nbsp;vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS).\u0026nbsp;\u003cbr\u003e\u003cbr\u003eContinuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\u003cbr\u003e\u003cbr\u003eThis issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.\u003cbr\u003e\u003cbr\u003eThis issue affects Junos OS:\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 21.2R3-S9,\u003c/li\u003e\u003cli\u003efrom 21.4 before 21.4R3-S11,\u003c/li\u003e\u003cli\u003efrom 22.2 before 22.2R3-S7,\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3-S7,\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-S4,\u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S4,\u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2,\u003c/li\u003e\u003cli\u003efrom 24.4 before 24.4R1-S3, 24.4R2\u003c/li\u003e\u003c/ul\u003eJunos OS Evolved:\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 22.2R3-S7-EVO,\u003c/li\u003e\u003cli\u003efrom 22.4-EVO before 22.4R3-S7-EVO,\u003c/li\u003e\u003cli\u003efrom 23.2-EVO before 23.2R2-S4-EVO,\u003c/li\u003e\u003cli\u003efrom 23.4-EVO before 23.4R2-S4-EVO,\u003c/li\u003e\u003cli\u003efrom 24.2-EVO before 24.2R2-EVO,\u003c/li\u003e\u003cli\u003efrom 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "An Expected Behavior Violation\u00a0vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS).\u00a0\n\nContinuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\nThis issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.\n\nThis issue affects Junos OS:\n\n\n * All versions before 21.2R3-S9,\n * from 21.4 before 21.4R3-S11,\n * from 22.2 before 22.2R3-S7,\n * from 22.4 before 22.4R3-S7,\n * from 23.2 before 23.2R2-S4,\n * from 23.4 before 23.4R2-S4,\n * from 24.2 before 24.2R2,\n * from 24.4 before 24.4R1-S3, 24.4R2\n\n\nJunos OS Evolved:\n\n\n\n * All versions before 22.2R3-S7-EVO,\n * from 22.4-EVO before 22.4R3-S7-EVO,\n * from 23.2-EVO before 23.2R2-S4-EVO,\n * from 23.4-EVO before 23.4R2-S4-EVO,\n * from 24.2-EVO before 24.2R2-EVO,\n * from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440 Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:04:55.140Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100059"
},
{
"tags": [
"technical-description"
],
"url": "https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/task/routing-protocol-bgp-security-configuring.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\u003cbr\u003eJunos OS: 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S4, 24.2R2, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases.\u003cbr\u003eJunos OS Evolved: 22.2R3-S7-EVO, 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u0026nbsp;and all subsequent releases.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue:\nJunos OS: 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S4, 24.2R2, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases.\nJunos OS Evolved: 22.2R3-S7-EVO, 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u00a0and all subsequent releases."
}
],
"source": {
"advisory": "JSA100059",
"defect": [
"1855477"
],
"discovery": "USER"
},
"title": "Junos OS and Junos OS Evolved: An unauthenticated adjacent attacker sending a valid BGP UPDATE packet forces a BGP session reset",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52953",
"datePublished": "2025-07-11T15:04:55.140Z",
"dateReserved": "2025-06-23T13:16:01.409Z",
"dateUpdated": "2025-07-11T20:11:26.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…