Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-2238
Vulnerability from csaf_certbund - Published: 2025-10-08 22:00 - Updated: 2025-10-09 22:00Summary
Juniper JUNOS OS, Space, OS Evolved: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JUNOS ist das "Juniper Network Operating System", das in Juniper Appliances verwendet wird.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Juniper JUNOS ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen oder Daten zu manipulieren.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "JUNOS ist das \"Juniper Network Operating System\", das in Juniper Appliances verwendet wird.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Juniper JUNOS ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder Daten zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2238 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2238.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2238 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2238"
},
{
"category": "external",
"summary": "Juniper Security Advisories vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/global-search/%40uri#sortCriteria=date%20descending\u0026f-sf_primarysourcename=Knowledge\u0026f-sf_articletype=Security%20Advisories\u0026numberOfResults=100"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103157 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Juniper-Security-Director-Insufficient-authorization-for-sensitive-resources-in-web-interface-CVE-2025-59968"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103168 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Device-allows-login-for-user-with-expired-password-CVE-2025-60010"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103165 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Specific-BGP-EVPN-update-message-causes-rpd-crash-CVE-2025-60004"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103151 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-With-BGP-sharding-enabled-change-in-indirect-next-hop-can-cause-RPD-crash-CVE-2025-59962"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103156 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-ACX7024-ACX7024X-ACX7100-32C-ACX7100-48L-ACX7348-ACX7509-When-specific-valid-multicast-traffic-is-received-on-the-L3-interface-a-vulnerable-device-evo-pfemand-crashes-and-restarts-CVE-2025-59967"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103163 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-Multiple-OS-command-injection-vulnerabilities-fixed-CVE-2025-60006"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103144 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-PTX-Series-except-PTX10003-An-unauthenticated-adjacent-attacker-sending-specific-valid-traffic-can-cause-a-memory-leak-in-cfmman-leading-to-FPC-crash-and-restart-CVE-2025-52961"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103147 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-Evolved-PTX-Series-When-firewall-filter-rejects-traffic-these-packets-are-erroneously-sent-to-the-RE-CVE-2025-59958"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103146 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-EX4600-Series-and-QFX5000-Series-An-attacker-with-physical-access-can-open-a-persistent-backdoor-CVE-2025-59957"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103153 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-SRX4700-When-forwarding-options-sampling-is-enabled-any-traffic-destined-to-the-RE-will-cause-the-forwarding-line-card-to-crash-and-restart-CVE-2025-59964"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103143 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-SRX-Series-and-MX-Series-Receipt-of-specific-SIP-packets-in-a-high-utilization-situation-causes-a-flowd-crash-CVE-2025-52960"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103167 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-OS-When-a-user-with-the-name-ftp-or-anonymous-is-configured-unauthenticated-filesystem-access-is-allowed-CVE-2025-59980"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103170 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Arbitrary-file-download-vulnerability-in-web-interface-CVE-2025-59976"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103172 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Flooding-device-with-inbound-API-calls-leads-to-WebUI-and-CLI-management-access-DoS-CVE-2025-59975"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103171 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Junos-Space-Reflected-client-side-HTTP-parameter-pollution-vulnerability-in-web-interface-CVE-2025-59977"
},
{
"category": "external",
"summary": "Juniper Security Advisory JSA103437 vom 2025-10-08",
"url": "https://supportportal.juniper.net/s/article/2025-10-Security-Bulletin-Security-Director-Policy-Enforcer-An-unrestricted-API-allows-a-network-based-unauthenticated-attacker-to-deploy-malicious-vSRX-images-to-VMWare-NSX-Server-CVE-2025-11198"
}
],
"source_lang": "en-US",
"title": "Juniper JUNOS OS, Space, OS Evolved: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-09T22:00:00.000+00:00",
"generator": {
"date": "2025-10-10T08:19:57.987+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2238",
"initial_release_date": "2025-10-08T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-08T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-09T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-33399, EUVD-2025-33360, EUVD-2025-33391, EUVD-2025-33397, EUVD-2025-33401, EUVD-2025-33387, EUVD-2025-33362, EUVD-2025-33363, EUVD-2025-33388, EUVD-2025-33398, EUVD-2025-33403, EUVD-2025-33378, EUVD-2025-33390, EUVD-2025-33402, EUVD-2025-33400"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "Space Security Director",
"product": {
"name": "Juniper JUNOS Space Security Director",
"product_id": "T047510",
"product_identification_helper": {
"cpe": "cpe:/o:juniper:junos:space_security_director"
}
}
},
{
"category": "product_version",
"name": "OS Evolved",
"product": {
"name": "Juniper JUNOS OS Evolved",
"product_id": "T047511",
"product_identification_helper": {
"cpe": "cpe:/o:juniper:junos:os_evolved"
}
}
},
{
"category": "product_version",
"name": "OS",
"product": {
"name": "Juniper JUNOS OS",
"product_id": "T047512",
"product_identification_helper": {
"cpe": "cpe:/o:juniper:junos:os"
}
}
},
{
"category": "product_version",
"name": "Space",
"product": {
"name": "Juniper JUNOS Space",
"product_id": "T047513",
"product_identification_helper": {
"cpe": "cpe:/o:juniper:junos:space"
}
}
},
{
"category": "product_version",
"name": "Space Security Director Policy Enforcer",
"product": {
"name": "Juniper JUNOS Space Security Director Policy Enforcer",
"product_id": "T047514",
"product_identification_helper": {
"cpe": "cpe:/o:juniper:junos:space_security_director_policy_enforcer"
}
}
}
],
"category": "product_name",
"name": "JUNOS"
}
],
"category": "vendor",
"name": "Juniper"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11198",
"product_status": {
"known_affected": [
"T047514",
"T047510"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-11198"
},
{
"cve": "CVE-2025-59968",
"product_status": {
"known_affected": [
"T047514",
"T047510"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59968"
},
{
"cve": "CVE-2025-59975",
"product_status": {
"known_affected": [
"T047513",
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59975"
},
{
"cve": "CVE-2025-59976",
"product_status": {
"known_affected": [
"T047513",
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59976"
},
{
"cve": "CVE-2025-59977",
"product_status": {
"known_affected": [
"T047513",
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59977"
},
{
"cve": "CVE-2025-52960",
"product_status": {
"known_affected": [
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-52960"
},
{
"cve": "CVE-2025-59957",
"product_status": {
"known_affected": [
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59957"
},
{
"cve": "CVE-2025-59964",
"product_status": {
"known_affected": [
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59964"
},
{
"cve": "CVE-2025-59980",
"product_status": {
"known_affected": [
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59980"
},
{
"cve": "CVE-2025-52961",
"product_status": {
"known_affected": [
"T047511"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-52961"
},
{
"cve": "CVE-2025-59958",
"product_status": {
"known_affected": [
"T047511"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59958"
},
{
"cve": "CVE-2025-59967",
"product_status": {
"known_affected": [
"T047511"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59967"
},
{
"cve": "CVE-2025-60006",
"product_status": {
"known_affected": [
"T047511"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-60006"
},
{
"cve": "CVE-2025-59962",
"product_status": {
"known_affected": [
"T047511",
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-59962"
},
{
"cve": "CVE-2025-60004",
"product_status": {
"known_affected": [
"T047511",
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-60004"
},
{
"cve": "CVE-2025-60010",
"product_status": {
"known_affected": [
"T047511",
"T047512"
]
},
"release_date": "2025-10-08T22:00:00.000+00:00",
"title": "CVE-2025-60010"
}
]
}
CVE-2025-59962 (GCVE-0-2025-59962)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:45 – Updated: 2025-10-09 19:05
VLAI?
EPSS
Title
Junos OS and Junos OS Evolved: With BGP sharding enabled, change in indirect next-hop can cause RPD crash
Summary
An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside the attacker's control, to cause rpd to crash and restart, leading to a Denial of Service (DoS).
With BGP sharding enabled, triggering route resolution of an indirect next-hop (e.g., an IGP route change over which a BGP route gets resolved), may cause rpd to crash and restart. An attacker causing continuous IGP route churn, resulting in repeated route re-resolution, will increase the likelihood of triggering this issue, leading to a potentially extended DoS condition.
This issue affects:
Junos OS:
* all versions before 21.4R3-S6,
* from 22.1 before 22.1R3-S6,
* from 22.2 before 22.2R3-S3,
* from 22.3 before 22.3R3-S3,
* from 22.4 before 22.4R3,
* from 23.2 before 23.2R2;
Junos OS Evolved:
* all versions before 22.3R3-S3-EVO,
* from 22.4 before 22.4R3-EVO,
* from 23.2 before 23.2R2-EVO.
Versions before Junos OS 21.3R1 and Junos OS Evolved 21.3R1-EVO are unaffected by this issue.
Severity ?
CWE
- CWE-824 - Access of Uninitialized Pointer
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
21.4 , < 21.4R3-S6
(semver)
Affected: 22.1 , < 22.1R3-S6 (semver) Affected: 22.2 , < 22.2R3-S3 (semver) Affected: 22.3 , < 22.3R3-S3 (semver) Affected: 22.4 , < 22.4R3 (semver) Affected: 23.2 , < 23.2R2 (semver) Unaffected: 0 , < 21.3R1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:04:53.957280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:05:04.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.4R3-S6",
"status": "affected",
"version": "21.4",
"versionType": "semver"
},
{
"lessThan": "22.1R3-S6",
"status": "affected",
"version": "22.1",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S3",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.3R3-S3",
"status": "affected",
"version": "22.3",
"versionType": "semver"
},
{
"lessThan": "22.4R3",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "21.3R1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.3R3-S3-EVO",
"status": "affected",
"version": "22.3",
"versionType": "semver"
},
{
"lessThan": "22.4R3-EVO",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-EVO",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "21.3R1-EVO",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Systems are only vulnerable to this issue if BGP sharding is enabled. For example:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[ system processes routing bgp rib-sharding ]\u003c/tt\u003e"
}
],
"value": "Systems are only vulnerable to this issue if BGP sharding is enabled. For example:\n\n[ system processes routing bgp rib-sharding ]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside the attacker\u0027s control, to cause rpd to crash and restart, leading to a Denial of Service (DoS).\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eWith BGP sharding enabled, triggering route resolution of an indirect next-hop (e.g., an IGP route change over which a BGP route gets resolved), may cause rpd to crash and restart. An attacker causing continuous IGP route churn, resulting in repeated route re-resolution, will increase the likelihood of triggering this issue, leading to a potentially extended DoS condition.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003eJunos OS:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 21.4R3-S6,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.1 before 22.1R3-S6,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.2 before 22.2R3-S3,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.3 before 22.3R3-S3,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2;\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eJunos OS Evolved:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 22.3R3-S3-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003eVersions before Junos OS 21.3R1 and Junos OS Evolved 21.3R1-EVO are unaffected by this issue."
}
],
"value": "An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside the attacker\u0027s control, to cause rpd to crash and restart, leading to a Denial of Service (DoS).\n\nWith BGP sharding enabled, triggering route resolution of an indirect next-hop (e.g., an IGP route change over which a BGP route gets resolved), may cause rpd to crash and restart. An attacker causing continuous IGP route churn, resulting in repeated route re-resolution, will increase the likelihood of triggering this issue, leading to a potentially extended DoS condition.\n\nThis issue affects:\n\nJunos OS:\n\n\n\n * all versions before 21.4R3-S6,\u00a0\n * from 22.1 before 22.1R3-S6,\u00a0\n * from 22.2 before 22.2R3-S3,\u00a0\n * from 22.3 before 22.3R3-S3,\u00a0\n * from 22.4 before 22.4R3,\u00a0\n * from 23.2 before 23.2R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n * all versions before 22.3R3-S3-EVO,\u00a0\n * from 22.4 before 22.4R3-EVO,\u00a0\n * from 23.2 before 23.2R2-EVO.\n\n\n\n\nVersions before Junos OS 21.3R1 and Junos OS Evolved 21.3R1-EVO are unaffected by this issue."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-824",
"description": "CWE-824 Access of Uninitialized Pointer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:45:19.343Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103151"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: \u003cbr\u003eJunos OS\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e21.4R3-S6, 22.1R3-S6, 22.2R3-S3, 22.3R3-S3, 22.4R3, 23.2R2, 23.4R1, and all subsequent releases.\u003c/span\u003e\n\n\u003cbr\u003eJunos OS Evolved 22.3R3-S3-EVO, 22.4R3-EVO, 23.2R2-EVO, 23.4R1-EVO, and all subsequent releases.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: \nJunos OS\u00a021.4R3-S6, 22.1R3-S6, 22.2R3-S3, 22.3R3-S3, 22.4R3, 23.2R2, 23.4R1, and all subsequent releases.\n\n\nJunos OS Evolved 22.3R3-S3-EVO, 22.4R3-EVO, 23.2R2-EVO, 23.4R1-EVO, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103151",
"defect": [
"1756068"
],
"discovery": "USER"
},
"title": "Junos OS and Junos OS Evolved: With BGP sharding enabled, change in indirect next-hop can cause RPD crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Temporarily disabling BGP sharding will mitigate this issue."
}
],
"value": "Temporarily disabling BGP sharding will mitigate this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59962",
"datePublished": "2025-10-09T15:45:19.343Z",
"dateReserved": "2025-09-23T18:19:06.955Z",
"dateUpdated": "2025-10-09T19:05:04.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59976 (GCVE-0-2025-59976)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:59 – Updated: 2025-10-09 19:49
VLAI?
EPSS
Title
Junos Space: Arbitrary file download vulnerability in web interface
Summary
An arbitrary file download vulnerability in the web interface of Juniper Networks Junos Space allows a network-based authenticated attacker using a crafted GET method to access any file on the file system. Using specially crafted GET methods, an attacker can gain access to files beyond the file path normally allowed by the JBoss daemon. These files could contain sensitive information restricted from access by low-privileged users.This issue affects all versions of Junos Space before 24.1R3.
Severity ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos Space |
Affected:
0 , < 24.1R3
(semver)
|
Credits
Juniper SIRT would like to acknowledge and thank Arnoldas Radisauskas and Jorge Escabias from NATO Cyber Security Center for responsibly reporting this vulnerability.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:43:28.910167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:49:14.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos Space",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "24.1R3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juniper SIRT would like to acknowledge and thank Arnoldas Radisauskas and Jorge Escabias from NATO Cyber Security Center for responsibly reporting this vulnerability."
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An arbitrary file download vulnerability in the web interface of Juniper Networks Junos Space allows a network-based authenticated attacker using a crafted GET method to access any file on the file system. Using specially crafted GET methods, an attacker can gain access to files beyond the file path normally allowed by the JBoss daemon. These files could contain sensitive information restricted from access by low-privileged users.\u003cp\u003eThis issue affects all versions of Junos Space before 24.1R3.\u003c/p\u003e"
}
],
"value": "An arbitrary file download vulnerability in the web interface of Juniper Networks Junos Space allows a network-based authenticated attacker using a crafted GET method to access any file on the file system. Using specially crafted GET methods, an attacker can gain access to files beyond the file path normally allowed by the JBoss daemon. These files could contain sensitive information restricted from access by low-privileged users.This issue affects all versions of Junos Space before 24.1R3."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:59:07.997Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103170"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: Junos Space 24.1R3, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: Junos Space 24.1R3, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103170",
"defect": [
"1809260"
],
"discovery": "EXTERNAL"
},
"title": "Junos Space: Arbitrary file download vulnerability in web interface",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use access lists or firewall filters to limit access to the device only from trusted hosts.\u003cbr\u003e"
}
],
"value": "Use access lists or firewall filters to limit access to the device only from trusted hosts."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59976",
"datePublished": "2025-10-09T15:59:07.997Z",
"dateReserved": "2025-09-23T18:19:06.956Z",
"dateUpdated": "2025-10-09T19:49:14.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52961 (GCVE-0-2025-52961)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:40 – Updated: 2025-10-09 19:49
VLAI?
EPSS
Title
Junos OS Evolved: PTX Series except PTX10003: An unauthenticated adjacent attacker sending specific valid traffic can cause a memory leak in cfmman leading to FPC crash and restart
Summary
An Uncontrolled Resource Consumption vulnerability in the Connectivity Fault Management (CFM) daemon and the Connectivity Fault Management Manager (cfmman) of Juniper Networks Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
An attacker on an adjacent device sending specific valid traffic can cause cfmd to spike the CPU to 100% and cfmman's memory to leak, eventually to cause the FPC crash and restart.
Continued receipt and processes of these specific valid packets will sustain the Denial of Service (DoS) condition.
An indicator of compromise is to watch for an increase in cfmman memory rising over time by issuing the following command and evaluating the RSS number. If the RSS is growing into GBs then consider restarting the device to temporarily clear memory.
user@device> show system processes node fpc<num> detail | match cfmman
Example:
show system processes node fpc0 detail | match cfmman
F S UID PID PPID PGID SID C PRI NI ADDR SZ WCHAN RSS PSR STIME TTY TIME CMD
4 S root 15204 1 15204 15204 0 80 0 - 90802 - 113652 4 Sep25 ? 00:15:28 /usr/bin/cfmman -p /var/pfe -o -c /usr/conf/cfmman-cfg-active.xml
This issue affects Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016:
* from 23.2R1-EVO before 23.2R2-S4-EVO,
* from 23.4 before 23.4R2-S4-EVO,
* from 24.2 before 24.2R2-EVO,
* from 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO.
This issue does not affect Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 before 23.2R1-EVO.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS Evolved |
Affected:
23.2R1-EVO , < 23.2R2-S4-EVO
(semver)
Affected: 23.4-EVO , < 23.4R2-S4-EVO (semver) Affected: 24.2-EVO , < 24.2R2-EVO (semver) Affected: 24.4-EVO , < 24.4R1-S2-EVO, 24.4R2-EVO (semver) Unaffected: 0 , < 23.2R1-EVO (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:43:31.113048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:49:35.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"cfmman",
"cfmd"
],
"platforms": [
"PTX10001-36MR",
"PTX10002-36QDD",
"PTX10004",
"PTX10008",
"PTX10016"
],
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.2R2-S4-EVO",
"status": "affected",
"version": "23.2R1-EVO",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4-EVO",
"status": "affected",
"version": "23.4-EVO",
"versionType": "semver"
},
{
"lessThan": "24.2R2-EVO",
"status": "affected",
"version": "24.2-EVO",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S2-EVO, 24.4R2-EVO",
"status": "affected",
"version": "24.4-EVO",
"versionType": "semver"
},
{
"lessThan": "23.2R1-EVO",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue occurs only when CFM has been configured on any interface:\u003cbr\u003e\u003ctt\u003e\u0026nbsp; [ protocols oam ethernet connectivity-fault-management maintenance-domain \u0026lt;md-name\u0026gt; level \u0026lt;number\u0026gt; ]\u003cbr\u003e\u003c/tt\u003e"
}
],
"value": "This issue occurs only when CFM has been configured on any interface:\n\u00a0 [ protocols oam ethernet connectivity-fault-management maintenance-domain \u003cmd-name\u003e level \u003cnumber\u003e ]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Uncontrolled Resource Consumption vulnerability in the Connectivity Fault Management (CFM) daemon\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and the Connectivity Fault Management Manager (cfmman)\u0026nbsp;\u003c/span\u003eof Juniper Networks Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).\u003cbr\u003e\u003cbr\u003eAn attacker on an adjacent device sending specific valid traffic can cause cfmd to spike the CPU to 100% and cfmman\u0027s memory to leak, eventually to cause the FPC crash and restart.\u003cbr\u003e\u003cbr\u003eContinued receipt and processes of these specific valid packets will sustain the Denial of Service (DoS) condition.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn indicator of compromise is to watch\u0026nbsp;for an increase in cfmman memory rising over time by issuing the following command and evaluating the\u0026nbsp;\u003ctt\u003e\u003cspan style=\"background-color: rgb(239, 250, 102);\"\u003e\u003cb\u003eRSS\u003c/b\u003e\u003c/span\u003e\u0026nbsp;number.\u0026nbsp;If the RSS is growing into GBs then consider restarting the device to temporarily clear memory.\u003c/tt\u003e\u003cbr\u003e \u003cbr\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp; user@device\u0026gt; show system processes node fpc\u003ci\u003e\u0026lt;num\u0026gt;\u003c/i\u003e detail | match cfmman\u003cbr\u003e\u003c/span\u003e\u003c/tt\u003e\u003cbr\u003eExample:\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e\u0026nbsp; show system processes node fpc0 detail | match cfmman\u0026nbsp;\u003c/tt\u003e\u003ctt\u003e\u003cbr\u003e\u0026nbsp; F S UID \u0026nbsp; \u0026nbsp; \u0026nbsp; PID\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;PPID PGID \u0026nbsp; SID\u0026nbsp; \u0026nbsp;C PRI NI\u0026nbsp; ADDR SZ\u0026nbsp; \u0026nbsp; WCHAN \u0026nbsp; \u003cb\u003e\u003cspan style=\"background-color: rgb(239, 250, 102);\"\u003eRSS\u003c/span\u003e\u003c/b\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp;PSR STIME TTY \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; TIME\u0026nbsp; \u0026nbsp; \u0026nbsp;CMD\u003cbr\u003e\u0026nbsp; 4 S root\u0026nbsp; \u0026nbsp; \u0026nbsp; 15204 \u0026nbsp; \u0026nbsp; 1\u0026nbsp; \u0026nbsp; 15204\u0026nbsp; 15204 0 80\u0026nbsp; 0\u0026nbsp; \u0026nbsp;- 90802\u0026nbsp; \u0026nbsp; \u0026nbsp;-\u0026nbsp; \u0026nbsp; \u0026nbsp; \u003cb\u003e\u003cspan style=\"background-color: rgb(239, 250, 102);\"\u003e113652\u003c/span\u003e\u003c/b\u003e\u0026nbsp; \u0026nbsp;4\u0026nbsp; Sep25 ?\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;00:15:28 /usr/bin/cfmman -p /var/pfe -o -c /usr/conf/cfmman-cfg-active.xml\u003c/tt\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS Evolved on\u0026nbsp;PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016:\u003c/p\u003e\u003cul\u003e\u003cli\u003efrom 23.2R1-EVO before 23.2R2-S4-EVO, \u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S4-EVO, \u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2-EVO, \u003c/li\u003e\u003cli\u003efrom 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO.\u003c/li\u003e\u003c/ul\u003eThis issue does not affect Junos OS Evolved on\u0026nbsp;PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 before 23.2R1-EVO."
}
],
"value": "An Uncontrolled Resource Consumption vulnerability in the Connectivity Fault Management (CFM) daemon\u00a0and the Connectivity Fault Management Manager (cfmman)\u00a0of Juniper Networks Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).\n\nAn attacker on an adjacent device sending specific valid traffic can cause cfmd to spike the CPU to 100% and cfmman\u0027s memory to leak, eventually to cause the FPC crash and restart.\n\nContinued receipt and processes of these specific valid packets will sustain the Denial of Service (DoS) condition.\n\nAn indicator of compromise is to watch\u00a0for an increase in cfmman memory rising over time by issuing the following command and evaluating the\u00a0RSS\u00a0number.\u00a0If the RSS is growing into GBs then consider restarting the device to temporarily clear memory.\n \n\u00a0 user@device\u003e show system processes node fpc\u003cnum\u003e detail | match cfmman\n\nExample:\u00a0\n\n\u00a0 show system processes node fpc0 detail | match cfmman\u00a0\n\u00a0 F S UID \u00a0 \u00a0 \u00a0 PID\u00a0 \u00a0 \u00a0 \u00a0PPID PGID \u00a0 SID\u00a0 \u00a0C PRI NI\u00a0 ADDR SZ\u00a0 \u00a0 WCHAN \u00a0 RSS\u00a0 \u00a0 \u00a0PSR STIME TTY \u00a0 \u00a0 \u00a0 \u00a0 TIME\u00a0 \u00a0 \u00a0CMD\n\u00a0 4 S root\u00a0 \u00a0 \u00a0 15204 \u00a0 \u00a0 1\u00a0 \u00a0 15204\u00a0 15204 0 80\u00a0 0\u00a0 \u00a0- 90802\u00a0 \u00a0 \u00a0-\u00a0 \u00a0 \u00a0 113652\u00a0 \u00a04\u00a0 Sep25 ?\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a000:15:28 /usr/bin/cfmman -p /var/pfe -o -c /usr/conf/cfmman-cfg-active.xml\nThis issue affects Junos OS Evolved on\u00a0PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016:\n\n * from 23.2R1-EVO before 23.2R2-S4-EVO, \n * from 23.4 before 23.4R2-S4-EVO, \n * from 24.2 before 24.2R2-EVO, \n * from 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO.\n\n\nThis issue does not affect Junos OS Evolved on\u00a0PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 before 23.2R1-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:42:58.625Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103144"
},
{
"tags": [
"technical-description"
],
"url": "https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/cfm-configuring.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\u0026nbsp;\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eJunos OS Evolved: 23.2R2-S4-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-S2-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue:\u00a0\nJunos OS Evolved: 23.2R2-S4-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-S2-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103144",
"defect": [
"1856405"
],
"discovery": "USER"
},
"title": "Junos OS Evolved: PTX Series except PTX10003: An unauthenticated adjacent attacker sending specific valid traffic can cause a memory leak in cfmman leading to FPC crash and restart",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue.\u003cbr\u003eTo reduce the risk of exploitation, enable input and output access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted users, hosts and networks.\u003cbr\u003e"
}
],
"value": "There are no known workarounds for this issue.\nTo reduce the risk of exploitation, enable input and output access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted users, hosts and networks."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52961",
"datePublished": "2025-10-09T15:40:52.572Z",
"dateReserved": "2025-06-23T13:17:37.424Z",
"dateUpdated": "2025-10-09T19:49:35.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11198 (GCVE-0-2025-11198)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:39 – Updated: 2025-10-09 19:49
VLAI?
EPSS
Title
Security Director Policy Enforcer: An unrestricted API allows a network-based unauthenticated attacker to deploy malicious vSRX images to VMWare NSX Server
Summary
A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones.
If a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker's uploaded image to VMware NSX instead of a legitimate one.
This issue affects Security Director Policy Enforcer:
* All versions before 23.1R1 Hotpatch v3.
This issue does not affect Junos Space Security Director Insights.
Severity ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Security Director Policy Enforcer |
Affected:
0 , < 23.1R1 Hotpatch v3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:43:35.273114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:49:45.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Security Director Policy Enforcer",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.1R1 Hotpatch v3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones.\u003c/div\u003e\u003cdiv\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cp\u003eIf a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker\u0027s uploaded image to VMware NSX instead of a legitimate one.\u003c/p\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects\u0026nbsp;Security Director Policy Enforcer:\u0026nbsp;\u0026nbsp;\u003c/p\u003e\u003c/div\u003e\u003cul\u003e\u003cli\u003eAll versions before 23.1R1 Hotpatch v3.\u003c/li\u003e\u003c/ul\u003eThis issue does not affect Junos Space Security Director Insights."
}
],
"value": "A Missing Authentication for Critical Function vulnerability in Juniper Networks Security Director Policy Enforcer allows an unauthenticated, network-based attacker to replace legitimate vSRX images with malicious ones.\n\n\n\nIf a trusted user initiates deployment, Security Director Policy Enforcer will deliver the attacker\u0027s uploaded image to VMware NSX instead of a legitimate one.\n\n\n\n\n\nThis issue affects\u00a0Security Director Policy Enforcer:\u00a0\u00a0\n\n\n\n * All versions before 23.1R1 Hotpatch v3.\n\n\nThis issue does not affect Junos Space Security Director Insights."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:42:07.428Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103437"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\u003cbr\u003eSecurity Director Policy Enforcer 23.1 Hotpatch v3, 24.1R4, and all subsequent releases.\u003cbr\u003e\u003cbr\u003eAdditionally, Juniper SIRT suggests action taken to rotate secrets across all devices after upgrading.\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue:\nSecurity Director Policy Enforcer 23.1 Hotpatch v3, 24.1R4, and all subsequent releases.\n\nAdditionally, Juniper SIRT suggests action taken to rotate secrets across all devices after upgrading."
}
],
"source": {
"advisory": "JSA103437",
"defect": [
"1833604"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2026-10-08T16:00:00.000Z",
"value": "Initial Publication"
}
],
"title": "Security Director Policy Enforcer: An unrestricted API allows a network-based unauthenticated attacker to deploy malicious vSRX images to VMWare NSX Server",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue.\u003cbr\u003eTo reduce the risk of exploitation, enable access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted users, hosts and networks.\u003cbr\u003e"
}
],
"value": "There are no known workarounds for this issue.\nTo reduce the risk of exploitation, enable access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted users, hosts and networks."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-11198",
"datePublished": "2025-10-09T15:39:28.578Z",
"dateReserved": "2025-09-30T19:04:32.768Z",
"dateUpdated": "2025-10-09T19:49:45.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52960 (GCVE-0-2025-52960)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:40 – Updated: 2025-12-01 08:41
VLAI?
EPSS
Title
Junos OS: SRX Series and MX Series: Receipt of specific SIP packets in a high utilization situation causes a flowd/mspmand crash
Summary
A Buffer Copy without Checking Size of Input vulnerability in the
Session Initialization Protocol (SIP) ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
When memory utilization is high, and specific SIP packets are received, flowd/mspmand crashes. While the system recovers automatically, the disruption can significantly impact service stability. Continuous receipt of these specific SIP packets, while high utilization is present, will cause a sustained DoS condition. The utilization is outside the attackers control, so they would not be able to deterministically exploit this.
This issue affects Junos OS on SRX Series and MX Series:
* All versions before 22.4R3-S7,
* from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S5,
* from 24.2 before 24.2R2.
Severity ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 22.4R3-S7
(semver)
Affected: 23.2 , < 23.2R2-S4 (semver) Affected: 23.4 , < 23.4R2-S5 (semver) Affected: 24.2 , < 24.2R2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:43:33.225187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:49:40.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"SRX Series",
"MX Series"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.4R3-S7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2",
"status": "affected",
"version": "24.2",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTo be affected the SIP ALG needs to be enabled, either implicitly / by default or by way of configuration.\u003c/p\u003e\u003cp\u003ePlease verify on SRX, and MX with SPC3 with:\u003c/p\u003e\u003ccode\u003euser@host\u0026gt; show security alg status | match sip\u003c/code\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003ccode\u003eSIP : Enabled\u003c/code\u003e\u003cb\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003c/b\u003e\u003cp\u003ePlease verify on MX whether the following is configured:\u003c/p\u003e\u003ccode\u003e[services ... rule \u0026lt;rule-name\u0026gt; (term \u0026lt;term-name\u0026gt; ) from/match application/application-set \u0026lt;name\u0026gt;]\u003c/code\u003e\u003cp\u003ewhere either\u003c/p\u003e\u003ccode\u003ea. name = junos-sip\u003c/code\u003e\u003cp\u003eor an application or application-set refers to SIP:\u003c/p\u003e\u003ccode\u003eb. [applications application \u0026lt;name\u0026gt; application-protocol sip]\u003c/code\u003e\u003cp\u003eor\u003c/p\u003e\u003ccode\u003ec. [applications application-set \u0026lt;name\u0026gt; application junos-sip]\u003c/code\u003e\u003cbr\u003e"
}
],
"value": "To be affected the SIP ALG needs to be enabled, either implicitly / by default or by way of configuration.\n\nPlease verify on SRX, and MX with SPC3 with:\n\nuser@host\u003e show security alg status | match sip\nSIP : Enabled\n\n\nPlease verify on MX whether the following is configured:\n\n[services ... rule \u003crule-name\u003e (term \u003cterm-name\u003e ) from/match application/application-set \u003cname\u003e]where either\n\na. name = junos-sipor an application or application-set refers to SIP:\n\nb. [applications application \u003cname\u003e application-protocol sip]or\n\nc. [applications application-set \u003cname\u003e application junos-sip]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Buffer Copy without Checking Size of Input vulnerability in the \n\nSession Initialization Protocol (SIP) ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).\u003cbr\u003e\u003cbr\u003eWhen memory utilization is high, and specific \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSIP\u0026nbsp;\u003c/span\u003epackets are received, flowd/mspmand crashes. While the system recovers automatically, the disruption can significantly impact service stability. Continuous receipt of these specific SIP packets, while high utilization is present, will cause a sustained DoS condition. The utilization is outside the attackers control, so they would not be able to deterministically exploit this.\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS on SRX Series and MX Series:\u0026nbsp;\u003cbr\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 22.4R3-S7,\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-S4, \u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S5, \u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "A Buffer Copy without Checking Size of Input vulnerability in the \n\nSession Initialization Protocol (SIP) ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).\n\nWhen memory utilization is high, and specific SIP\u00a0packets are received, flowd/mspmand crashes. While the system recovers automatically, the disruption can significantly impact service stability. Continuous receipt of these specific SIP packets, while high utilization is present, will cause a sustained DoS condition. The utilization is outside the attackers control, so they would not be able to deterministically exploit this.\nThis issue affects Junos OS on SRX Series and MX Series:\u00a0\n\n\n * All versions before 22.4R3-S7,\n * from 23.2 before 23.2R2-S4, \n * from 23.4 before 23.4R2-S5, \n * from 24.2 before 24.2R2."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T08:41:51.806Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103143"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://kb.juniper.net/JSA103143"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2, 24.4R1, and all subsequent releases.\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2, 24.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103143",
"defect": [
"1819450"
],
"discovery": "USER"
},
"title": "Junos OS: SRX Series and MX Series: Receipt of specific SIP packets in a high utilization situation causes a flowd/mspmand crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTo reduce the risk of exploitation customers not requiring the SIP ALG functionality could explicitly disable it (in case it\u0027s by default enabled) by configuring:\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[ security alg sip disable ]\u003c/tt\u003e\u003cbr\u003e"
}
],
"value": "There are no known workarounds for this issue.\n\nTo reduce the risk of exploitation customers not requiring the SIP ALG functionality could explicitly disable it (in case it\u0027s by default enabled) by configuring:\n\n[ security alg sip disable ]"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52960",
"datePublished": "2025-10-09T15:40:20.193Z",
"dateReserved": "2025-06-23T13:17:37.424Z",
"dateUpdated": "2025-12-01T08:41:51.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59980 (GCVE-0-2025-59980)
Vulnerability from cvelistv5 – Published: 2025-10-09 16:05 – Updated: 2025-10-10 14:41
VLAI?
EPSS
Title
Junos OS: When a user with the name ftp or anonymous is configured unauthenticated filesystem access is allowed
Summary
An Authentication Bypass by Primary Weakness
in the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device.
When the FTP server is enabled and a user named "ftp" or "anonymous" is configured, that user can login without providing the configured password and then has read-write access to their home directory.
This issue affects Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2.
Severity ?
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 22.4R3-S8
(semver)
Affected: 23.2 , < 23.2R2-S3 (semver) Affected: 23.4 , < 23.4R2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:45:37.043436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:49:01.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.4R3-S8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S3",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2",
"status": "affected",
"version": "23.4",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A system is only exploitable if ftp is enabled and a user with the name \"ftp\" or \"anonymous\" is configured:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[ system services ftp ]\u003cbr\u003e[ system login user (ftp | anonymous) ... ]\u003c/tt\u003e"
}
],
"value": "A system is only exploitable if ftp is enabled and a user with the name \"ftp\" or \"anonymous\" is configured:\n\n[ system services ftp ]\n[ system login user (ftp | anonymous) ... ]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Authentication Bypass by Primary Weakness\n\nin the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device.\u003cbr\u003e\u003cp\u003eWhen the FTP server is enabled and a user named \"ftp\" or \"anonymous\" is configured, that user can login without providing the configured password and then has read-write access to their home directory.\u003c/p\u003e\u003cp\u003eThis issue affects Junos OS:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 22.4R3-S8,\u003c/li\u003e\u003cli\u003e23.2 versions before 23.2R2-S3,\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Authentication Bypass by Primary Weakness\n\nin the FTP server of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to get limited read-write access to files on the device.\nWhen the FTP server is enabled and a user named \"ftp\" or \"anonymous\" is configured, that user can login without providing the configured password and then has read-write access to their home directory.\n\nThis issue affects Junos OS:\u00a0\n\n\n\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S3,\n * 23.4 versions before 23.4R2."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T14:41:12.698Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103167"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 22.4R3-S8, 23.2R2-S3, 23.4R2, 24.2R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: 22.4R3-S8, 23.2R2-S3, 23.4R2, 24.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103167",
"defect": [
"1771132"
],
"discovery": "USER"
},
"title": "Junos OS: When a user with the name ftp or anonymous is configured unauthenticated filesystem access is allowed",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Choosing another name for the user \"ftp\" or \"anonymous\" will prevent exploitation of this issue."
}
],
"value": "Choosing another name for the user \"ftp\" or \"anonymous\" will prevent exploitation of this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59980",
"datePublished": "2025-10-09T16:05:17.009Z",
"dateReserved": "2025-09-23T18:19:06.957Z",
"dateUpdated": "2025-10-10T14:41:12.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59975 (GCVE-0-2025-59975)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:58 – Updated: 2025-10-09 19:49
VLAI?
EPSS
Title
Junos Space: Flooding device with inbound API calls leads to WebUI and CLI management access DoS
Summary
An Uncontrolled Resource Consumption vulnerability in the HTTP daemon (httpd) of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the system, leading to a Denial of Service (DoS).
After continuously flooding the system with inbound connection requests, all available file handles become consumed, blocking access to the system via SSH and the web user interface (WebUI), resulting in a management interface DoS. A manual reboot of the system is required to restore functionality.
This issue affects Junos Space:
* all versions before 22.2R1 Patch V3,
* from 23.1 before 23.1R1 Patch V3.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos Space |
Affected:
0 , < 22.2R1 Patch V3
(semver)
Affected: 23.1 , < 23.1R1 Patch V3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:45:39.169763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:49:19.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos Space",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.2R1 Patch V3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.1R1 Patch V3",
"status": "affected",
"version": "23.1",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Uncontrolled Resource Consumption vulnerability in the HTTP daemon (httpd) of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the system, leading to a Denial of Service (DoS).\u003cbr\u003e\u003cbr\u003eAfter continuously flooding the system with inbound connection requests, all available file handles become consumed, blocking access to the system via SSH and the web user interface (WebUI), resulting in a management interface DoS. A manual reboot of the system is required to restore functionality.\u003cbr\u003e\u003cbr\u003eThis issue affects Junos Space: \u003cbr\u003e\u003cul\u003e\u003cli\u003eall versions before 22.2R1 Patch V3, \u003c/li\u003e\u003cli\u003efrom 23.1 before 23.1R1 Patch V3.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "An Uncontrolled Resource Consumption vulnerability in the HTTP daemon (httpd) of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the system, leading to a Denial of Service (DoS).\n\nAfter continuously flooding the system with inbound connection requests, all available file handles become consumed, blocking access to the system via SSH and the web user interface (WebUI), resulting in a management interface DoS. A manual reboot of the system is required to restore functionality.\n\nThis issue affects Junos Space: \n * all versions before 22.2R1 Patch V3, \n * from 23.1 before 23.1R1 Patch V3."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/V:C/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:58:33.416Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103172"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: Junos Space 22.2R1 Patch V3, 23.1R1 Patch V3, 24.1R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: Junos Space 22.2R1 Patch V3, 23.1R1 Patch V3, 24.1R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103172",
"defect": [
"1746987"
],
"discovery": "USER"
},
"title": "Junos Space: Flooding device with inbound API calls leads to WebUI and CLI management access DoS",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use access lists or firewall filters to limit access to the device only from trusted hosts and administrators.\u003cbr\u003e"
}
],
"value": "Use access lists or firewall filters to limit access to the device only from trusted hosts and administrators."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59975",
"datePublished": "2025-10-09T15:58:33.416Z",
"dateReserved": "2025-09-23T18:19:06.956Z",
"dateUpdated": "2025-10-09T19:49:19.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-60010 (GCVE-0-2025-60010)
Vulnerability from cvelistv5 – Published: 2025-10-09 16:20 – Updated: 2025-10-09 19:46
VLAI?
EPSS
Title
Junos OS and Junos OS Evolved: Device allows login for user with expired password
Summary
A password aging vulnerability in the RADIUS client of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated, network-based attacker to access the device without enforcing the required password change.
Affected devices allow logins by users for whom the RADIUS server has responded with a reject and required the user to change the password as their password was expired. Therefore the policy mandating the password change is not enforced.
This does not allow users to login with a wrong password, but only with the correct but expired one.
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S4,
* 23.4 versions before 23.4R2-S5,
* 24.2 versions before 24.2R2-S1,
* 24.4 versions before 24.4R1-S3, 24.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S4-EVO,
* 23.4 versions before 23.4R2-S5-EVO,
* 24.2 versions before 24.2R2-S1-EVO,
* 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.
Severity ?
CWE
- CWE-262 - Not Using Password Aging
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 22.4R3-S8
(semver)
Affected: 23.2 , < 23.2R2-S4 (semver) Affected: 23.4 , < 23.4R2-S5 (semver) Affected: 24.2 , < 24.2R2-S1 (semver) Affected: 24.4 , < 24.4R1-S3, 24.4R2 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-60010",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T18:48:49.916110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:46:35.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.4R3-S8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3, 24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.4R3-S8-EVO",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4-EVO",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5-EVO",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1-EVO",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3-EVO, 24.4R2-EVO",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue only affect systems where radius server is configured and refer to as follows:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[ system radius-server \u0026lt;IP address\u0026gt; ... ]\u003cbr\u003e[ system radius-options password-protocol mschap-v2 ]\u003cbr\u003e[ system authentication-order ... radius ... ]\u003c/tt\u003e"
}
],
"value": "This issue only affect systems where radius server is configured and refer to as follows:\n\n[ system radius-server \u003cIP address\u003e ... ]\n[ system radius-options password-protocol mschap-v2 ]\n[ system authentication-order ... radius ... ]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A password aging vulnerability in the RADIUS client of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated, network-based attacker to access the device without enforcing the required password change.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eAffected devices allow logins by users for whom the RADIUS server has responded with a reject and required the user to change the password as their password was expired. Therefore the policy mandating the password change is not enforced.\u003cbr\u003eThis does not allow users to login with a wrong password, but only with the correct but expired one.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003eJunos OS:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 22.4R3-S8,\u003c/li\u003e\u003cli\u003e23.2 versions before 23.2R2-S4,\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2-S5,\u003c/li\u003e\u003cli\u003e24.2 versions before 24.2R2-S1,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R1-S3, 24.4R2;\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eJunos OS Evolved:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 22.4R3-S8-EVO,\u003c/li\u003e\u003cli\u003e23.2 versions before 23.2R2-S4-EVO,\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2-S5-EVO,\u003c/li\u003e\u003cli\u003e24.2 versions before 24.2R2-S1-EVO,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A password aging vulnerability in the RADIUS client of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated, network-based attacker to access the device without enforcing the required password change.\n\nAffected devices allow logins by users for whom the RADIUS server has responded with a reject and required the user to change the password as their password was expired. Therefore the policy mandating the password change is not enforced.\nThis does not allow users to login with a wrong password, but only with the correct but expired one.\n\n\n\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n\n\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S4,\n * 23.4 versions before 23.4R2-S5,\n * 24.2 versions before 24.2R2-S1,\n * 24.4 versions before 24.4R1-S3, 24.4R2;\n\n\n\n\nJunos OS Evolved:\n\n\n\n * all versions before 22.4R3-S8-EVO,\n * 23.2 versions before 23.2R2-S4-EVO,\n * 23.4 versions before 23.4R2-S5-EVO,\n * 24.2 versions before 24.2R2-S1-EVO,\n * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-262",
"description": "CWE-262 Not Using Password Aging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T16:20:28.121Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103168"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\u003cbr\u003eJunos OS Evolved: 22.4R3-S8-EVO, 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u0026nbsp;and all subsequent releases;\u003cbr\u003eJunos OS: 22.4R3-S8, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue:\nJunos OS Evolved: 22.4R3-S8-EVO, 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u00a0and all subsequent releases;\nJunos OS: 22.4R3-S8, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103168",
"defect": [
"1862890"
],
"discovery": "USER"
},
"title": "Junos OS and Junos OS Evolved: Device allows login for user with expired password",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-60010",
"datePublished": "2025-10-09T16:20:28.121Z",
"dateReserved": "2025-09-23T18:19:06.961Z",
"dateUpdated": "2025-10-09T19:46:35.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59968 (GCVE-0-2025-59968)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:48 – Updated: 2025-10-09 16:03
VLAI?
EPSS
Title
Junos Space Security Director: Insufficient authorization for sensitive resources in web interface
Summary
A Missing Authorization vulnerability in the Juniper Networks Junos Space Security Director allows an unauthenticated network-based attacker to read or modify metadata via the web interface.
Tampering with this metadata can result in managed SRX Series devices permitting network traffic that should otherwise be blocked by policy, effectively bypassing intended security controls.
This issue affects Junos Space Security Director
* all versions prior to 24.1R3 Patch V4
This issue does not affect managed cSRX Series devices.
Severity ?
CWE
- CWE‑862: Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Juniper Networks | Junos Space Security Director |
Affected:
0 , < 24.1R3 Patch V4
(semver)
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T16:03:14.737515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T16:03:31.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos Space Security Director",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "24.1R3 Patch V4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"cSRX"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"status": "unaffected",
"version": "0"
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"vSRX Series",
"SRX Series"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRequired Configuration for Exposure:\u0026nbsp;\u003c/span\u003e\u003cbr\u003e\u003c/span\u003eCreate a Metadata using the Create Metadata administrative page."
}
],
"value": "Required Configuration for Exposure:\u00a0\nCreate a Metadata using the Create Metadata administrative page."
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA Missing Authorization vulnerability in the Juniper Networks Junos Space Security Director allows an unauthenticated network-based attacker to read or modify metadata via the web interface.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eTampering with this metadata can result in managed SRX Series devices permitting network traffic that should otherwise be blocked by policy, effectively bypassing intended security controls.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003eThis issue affects Junos Space Security Director \u003cbr\u003e\u003cul\u003e\u003cli\u003e all versions prior to 24.1R3 Patch V4\u003c/li\u003e\u003c/ul\u003eThis issue does not affect managed cSRX Series devices.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A Missing Authorization vulnerability in the Juniper Networks Junos Space Security Director allows an unauthenticated network-based attacker to read or modify metadata via the web interface.\u00a0\n\n\n\n\nTampering with this metadata can result in managed SRX Series devices permitting network traffic that should otherwise be blocked by policy, effectively bypassing intended security controls.\n\n\n\nThis issue affects Junos Space Security Director \n * all versions prior to 24.1R3 Patch V4\n\n\nThis issue does not affect managed cSRX Series devices."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/AU:Y/R:A/V:C/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u2011862: Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:48:08.091Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103157"
},
{
"tags": [
"technical-description"
],
"url": "https://www.juniper.net/documentation/us/en/software/nm-apps24.1/junos-space-security-director/topics/task/junos-space-metadata-creating.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe following software releases have been updated to resolve this specific issue:\u0026nbsp;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eJunos Space Security Director: 24.1R3 Patch V4, 24.1R4\u0026nbsp;and all subsequent releases.\u003c/div\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue:\u00a0\n\n\n\n\nJunos Space Security Director: 24.1R3 Patch V4, 24.1R4\u00a0and all subsequent releases."
}
],
"source": {
"advisory": "JSA103157",
"defect": [
"1867545"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-08T16:00:00.000Z",
"value": "Initial Publication"
}
],
"title": "Junos Space Security Director: Insufficient authorization for sensitive resources in web interface",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue.\u003cbr\u003eTo reduce the risk of exploitation, enable access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted users, hosts and networks.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "There are no known workarounds for this issue.\nTo reduce the risk of exploitation, enable access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted users, hosts and networks."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59968",
"datePublished": "2025-10-09T15:48:08.091Z",
"dateReserved": "2025-09-23T18:19:06.955Z",
"dateUpdated": "2025-10-09T16:03:31.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59957 (GCVE-0-2025-59957)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:43 – Updated: 2025-10-09 19:49
VLAI?
EPSS
Title
Junos OS: EX4600 Series and QFX5000 Series: An attacker with physical access can open a persistent backdoor
Summary
An Origin Validation Error vulnerability in an insufficient protected file of Juniper Networks Junos OS on EX4600 Series and QFX5000 Series allows an unauthenticated attacker with physical access to the device to create a backdoor which allows complete control of the system.
When a device isn't configured with a root password, an attacker can modify a specific file. It's contents will be added to the Junos configuration of the device without being visible. This allows for the addition of any configuration unknown
to the actual operator, which includes users, IP addresses and other configuration which could allow unauthorized access to the device.
This exploit is persistent across reboots and even zeroization.
The indicator of compromise is a modified /etc/config/<platform>-defaults[-flex].conf file. Review that file for unexpected configuration statements, or compare it to an unmodified version which can be extracted from the original Juniper software image file. For details on the extraction procedure please contact Juniper Technical Assistance Center (JTAC).
To restore the device to a trusted initial configuration the system needs to be reinstalled from physical media.
This issue affects Junos OS on EX4600 Series and QFX5000 Series:
* All versions before 21.4R3,
* 22.2 versions before 22.2R3-S3.
Severity ?
CWE
- CWE-346 - Origin Validation Error
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.4R3
(semver)
Affected: 22.2 , < 22.2R3-S3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:45:08.214706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:49:29.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"EX4600",
"QFX5000"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.4R3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S3",
"status": "affected",
"version": "22.2",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-10-08T12:20:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Origin Validation Error vulnerability in an insufficient protected file of Juniper Networks Junos OS on\u0026nbsp;EX4600 Series and QFX5000 Series allows an unauthenticated attacker with physical access to the device to create a backdoor which allows complete control of the system.\u003cbr\u003e\u003cbr\u003eWhen a device isn\u0027t configured with a root password, an attacker can modify a specific file. It\u0027s contents will be added to the Junos configuration of the device without being visible. This allows for the addition of any configuration unknown \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eto the actual operator,\u0026nbsp;\u003c/span\u003ewhich includes users, IP addresses and other configuration which could allow unauthorized access to the device.\u003cbr\u003eThis exploit is persistent across reboots and even zeroization.\u003cbr\u003e\u003cbr\u003eThe indicator of compromise is a modified /etc/config/\u0026lt;platform\u0026gt;-defaults[-flex].conf file. Review that file for unexpected configuration statements, or compare it to an unmodified version which can be\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eextracted from the original Juniper software image file\u003c/span\u003e. For details on the extraction procedure please contact Juniper Technical Assistance Center (JTAC).\u003cbr\u003e\u003cbr\u003eTo restore the device to a trusted initial configuration the system needs to be reinstalled from physical media.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS on EX4600 Series and QFX5000 Series:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 21.4R3,\u003c/li\u003e\u003cli\u003e22.2 versions before 22.2R3-S3.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Origin Validation Error vulnerability in an insufficient protected file of Juniper Networks Junos OS on\u00a0EX4600 Series and QFX5000 Series allows an unauthenticated attacker with physical access to the device to create a backdoor which allows complete control of the system.\n\nWhen a device isn\u0027t configured with a root password, an attacker can modify a specific file. It\u0027s contents will be added to the Junos configuration of the device without being visible. This allows for the addition of any configuration unknown \n\nto the actual operator,\u00a0which includes users, IP addresses and other configuration which could allow unauthorized access to the device.\nThis exploit is persistent across reboots and even zeroization.\n\nThe indicator of compromise is a modified /etc/config/\u003cplatform\u003e-defaults[-flex].conf file. Review that file for unexpected configuration statements, or compare it to an unmodified version which can be\u00a0extracted from the original Juniper software image file. For details on the extraction procedure please contact Juniper Technical Assistance Center (JTAC).\n\nTo restore the device to a trusted initial configuration the system needs to be reinstalled from physical media.\u00a0\n\nThis issue affects Junos OS on EX4600 Series and QFX5000 Series:\n\n\n\n * All versions before 21.4R3,\n * 22.2 versions before 22.2R3-S3."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/RE:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:43:23.110Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103146"
},
{
"tags": [
"technical-description"
],
"url": "https://supportportal.juniper.net/s/article/EX-QFX-Procedure-to-format-install-QFX5K-device-using-a-USB"
},
{
"tags": [
"technical-description"
],
"url": "https://support.juniper.net/support/requesting-support/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 21.4R3, 22.2R3-S3, 22.3R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: 21.4R3, 22.2R3-S3, 22.3R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103146",
"defect": [
"1514927"
],
"discovery": "INTERNAL"
},
"title": "Junos OS: EX4600 Series and QFX5000 Series: An attacker with physical access can open a persistent backdoor",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59957",
"datePublished": "2025-10-09T15:43:23.110Z",
"dateReserved": "2025-09-23T18:19:06.954Z",
"dateUpdated": "2025-10-09T19:49:29.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59958 (GCVE-0-2025-59958)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:44 – Updated: 2025-10-09 19:05
VLAI?
EPSS
Title
Junos OS Evolved: PTX Series: When a firewall filter rejects traffic these packets are erroneously sent to the RE
Summary
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to cause impact to confidentiality and availability.
When an output firewall filter is configured with one or more terms where the action is 'reject', packets matching these terms are erroneously sent to the Routing Engine (RE) and further processed there. Processing of these packets will consume limited RE resources. Also responses from the RE back to the source of this traffic could reveal confidential information about the affected device.
This issue only applies to firewall filters applied to WAN or revenue interfaces, so not the mgmt or lo0 interface of the routing-engine, nor any input filters.
This issue affects Junos OS Evolved on PTX Series:
* all versions before 22.4R3-EVO,
* 23.2 versions before 23.2R2-EVO.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS Evolved |
Affected:
0 , < 22.4R3-EVO
(semver)
Affected: 23.2 , < 23.2R2-EVO (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:05:24.406953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:05:31.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"PTX Series"
],
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.4R3-EVO",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.2R2-EVO",
"status": "affected",
"version": "23.2",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To be affected by this issue a configuration like the following needs to be present:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[\u0026nbsp;firewall family \u0026lt;family\u0026gt; filter \u0026lt;filter\u0026gt;\u0026nbsp;term \u0026lt;term\u0026gt;\u0026nbsp;then reject ]\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e[ interfaces \u0026lt;interface\u0026gt; unit \u0026lt;unit\u0026gt; \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efamily \u0026lt;family\u0026gt;\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003efilter \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eoutput \u0026lt;filter\u0026gt; ]\u003c/span\u003e\u003cbr\u003e\n\n\u003c/tt\u003e"
}
],
"value": "To be affected by this issue a configuration like the following needs to be present:\n\n[\u00a0firewall family \u003cfamily\u003e filter \u003cfilter\u003e\u00a0term \u003cterm\u003e\u00a0then reject ]\n\n\n[ interfaces \u003cinterface\u003e unit \u003cunit\u003e family \u003cfamily\u003e\u00a0filter output \u003cfilter\u003e ]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to cause impact to confidentiality and availability.\u003cbr\u003e\u003cbr\u003eWhen \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ean output firewall filter is configured with one or more\u0026nbsp;\u003c/span\u003eterms where the action is \u0027reject\u0027, packets matching these terms are\u0026nbsp;erroneously sent to the Routing Engine (RE) and further processed there.\u0026nbsp;Processing of these packets will consume limited RE resources. Also responses from the RE back to the source of this traffic could reveal confidential information about the affected device.\u003cbr\u003eThis issue only applies to firewall filters applied to WAN or revenue interfaces, so not the mgmt or lo0 interface of the routing-engine, nor any input filters.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS Evolved on PTX Series:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 22.4R3-EVO,\u003c/li\u003e\u003cli\u003e23.2 versions before 23.2R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to cause impact to confidentiality and availability.\n\nWhen an output firewall filter is configured with one or more\u00a0terms where the action is \u0027reject\u0027, packets matching these terms are\u00a0erroneously sent to the Routing Engine (RE) and further processed there.\u00a0Processing of these packets will consume limited RE resources. Also responses from the RE back to the source of this traffic could reveal confidential information about the affected device.\nThis issue only applies to firewall filters applied to WAN or revenue interfaces, so not the mgmt or lo0 interface of the routing-engine, nor any input filters.\n\nThis issue affects Junos OS Evolved on PTX Series:\n\n\n\n * all versions before 22.4R3-EVO,\n * 23.2 versions before 23.2R2-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eJuniper SIRT is not aware of any malicious exploitation of this vulnerability.\u003c/p\u003e"
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:44:33.938Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103147"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe following software releases have been updated to resolve this specific issue: 22.4R3-EVO, 23.2R2-EVO, 23.4R1-EVO, and all subsequent releases.\u003c/p\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: 22.4R3-EVO, 23.2R2-EVO, 23.4R1-EVO, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103147",
"defect": [
"1734892"
],
"discovery": "USER"
},
"title": "Junos OS Evolved: PTX Series: When a firewall filter rejects traffic these packets are erroneously sent to the RE",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To avoid this issue remove the affected \u003ctt\u003ereject\u003c/tt\u003e action from the respective term(s) and replace it with \u003ctt\u003ediscard\u003c/tt\u003e, or add \u003ctt\u003elog \u003c/tt\u003eor \u003ctt\u003esyslog \u003c/tt\u003eactions."
}
],
"value": "To avoid this issue remove the affected reject action from the respective term(s) and replace it with discard, or add log or syslog actions."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-av217"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59958",
"datePublished": "2025-10-09T15:44:33.938Z",
"dateReserved": "2025-09-23T18:19:06.954Z",
"dateUpdated": "2025-10-09T19:05:31.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59964 (GCVE-0-2025-59964)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:46 – Updated: 2025-10-09 19:00
VLAI?
EPSS
Title
Junos OS: SRX4700: When forwarding-options sampling is enabled any traffic destined to the RE will cause the forwarding line card to crash and restart
Summary
A Use of Uninitialized Resource vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX4700 devices allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
When forwarding-options sampling is enabled, receipt of any traffic destined to the Routing Engine (RE) by the PFE line card leads to an FPC crash and restart, resulting in a Denial of Service (DoS).
Continued receipt and processing of any traffic leading to the RE by the PFE line card will create a sustained Denial of Service (DoS) condition to the PFE line card.
This issue affects Junos OS on SRX4700:
* from 24.4 before 24.4R1-S3, 24.4R2
This issue affects IPv4 and IPv6.
Severity ?
CWE
- CWE-908 - Use of Uninitialized Resource
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
24.4 , < 24.4R1-S3, 24.4R2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T18:59:53.970460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:00:04.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"SRX4700"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "24.4R1-S3, 24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBelow is the configuration to check if sampling is enabled. \u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp; [ forwarding-options sampling ]\u003c/span\u003e\u003c/tt\u003e\u003cbr\u003e"
}
],
"value": "Below is the configuration to check if sampling is enabled. \n\n\u00a0 [ forwarding-options sampling ]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Use of Uninitialized Resource vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX4700\u0026nbsp;\u003cspan style=\"background-color: rgb(251, 251, 251);\"\u003edevices allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen forwarding-options sampling\u0026nbsp;\u003c/span\u003eis enabled, receipt\u0026nbsp;of any traffic destined to the Routing Engine (RE) by the PFE line card\u0026nbsp;\u003cspan style=\"background-color: rgb(251, 251, 251);\"\u003eleads to an FPC crash and restart, resulting in a Denial of Service (DoS). \u003cbr\u003e\u003cbr\u003eContinued receipt and processing of any traffic leading to the RE by the PFE line card will create a sustained Denial of Service (DoS) condition to the PFE line card.\u003cspan style=\"background-color: rgb(251, 251, 251);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003c/p\u003e\u003c/span\u003e\u003cp\u003eThis issue affects\u0026nbsp;Junos OS on SRX4700:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003efrom 24.4 before 24.4R1-S3, 24.4R2\u003c/li\u003e\u003c/ul\u003eThis issue affects IPv4 and IPv6.\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A Use of Uninitialized Resource vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX4700\u00a0devices allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).\n\nWhen forwarding-options sampling\u00a0is enabled, receipt\u00a0of any traffic destined to the Routing Engine (RE) by the PFE line card\u00a0leads to an FPC crash and restart, resulting in a Denial of Service (DoS). \n\nContinued receipt and processing of any traffic leading to the RE by the PFE line card will create a sustained Denial of Service (DoS) condition to the PFE line card.\n\n\nThis issue affects\u00a0Junos OS on SRX4700:\u00a0\n\n\n\n * from 24.4 before 24.4R1-S3, 24.4R2\n\n\nThis issue affects IPv4 and IPv6."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908: Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:46:25.285Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103153"
},
{
"tags": [
"technical-description"
],
"url": "https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/sampling-edit-forwarding-options.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: \u003cbr\u003e\u003cbr\u003eJunos OS: 24.4R1-S3, 24.4R2,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e25.2R1 and all subsequent releases.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue: \n\nJunos OS: 24.4R1-S3, 24.4R2,\u00a025.2R1 and all subsequent releases."
}
],
"source": {
"advisory": "JSA103153",
"defect": [
"1867583"
],
"discovery": "USER"
},
"title": "Junos OS: SRX4700: When forwarding-options sampling is enabled any traffic destined to the RE will cause the forwarding line card to crash and restart",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To workaround this issue an administrator must block all traffic from the PFE line card to the Routing Engine (RE) until a fix can be taken.\u003cbr\u003eEven while under a persistent DoS attack the RE will continue to be accessible to administrators through non-PFE line card interfaces E.g. Console, FXP0.\u003cbr\u003e"
}
],
"value": "To workaround this issue an administrator must block all traffic from the PFE line card to the Routing Engine (RE) until a fix can be taken.\nEven while under a persistent DoS attack the RE will continue to be accessible to administrators through non-PFE line card interfaces E.g. Console, FXP0."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59964",
"datePublished": "2025-10-09T15:46:25.285Z",
"dateReserved": "2025-09-23T18:19:06.955Z",
"dateUpdated": "2025-10-09T19:00:04.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-60006 (GCVE-0-2025-60006)
Vulnerability from cvelistv5 – Published: 2025-10-09 16:18 – Updated: 2025-10-10 03:55
VLAI?
EPSS
Title
Junos OS Evolved: OS command injection vulnerabilities fixed
Summary
Multiple instances of an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulnerability in the CLI of Juniper Networks Junos OS Evolved could be used to elevate privileges and/or execute unauthorized commands.
When an attacker executes crafted CLI commands, the options are processed via a script in some cases. These scripts are not hardened so injected commands might be executed via the shell, which allows an attacker to perform operations, which they should not be able to do according to their assigned permissions.
This issue affects Junos OS Evolved:
* 24.2 versions before 24.2R2-S2-EVO,
* 24.4 versions before 24.4R2-EVO.
This issue does not affect Junos OS Evolved versions earlier than 24.2R1-EVO.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS Evolved |
Affected:
24.2 , < 24.2R2-S2-EVO
(semver)
Affected: 24.4 , < 24.4R2-EVO (semver) Unaffected: 0 , < 24.2R1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-60006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T03:55:26.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "24.2R2-S2-EVO",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R2-EVO",
"status": "affected",
"version": "24.4",
"versionType": "semver"
},
{
"lessThan": "24.2R1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multiple instances of an Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evulnerability in the CLI of \u003c/span\u003eJuniper Networks Junos OS Evolved could be used to elevate privileges and/or execute unauthorized commands.\u003cbr\u003e\u003cbr\u003eWhen an attacker executes crafted CLI commands, the options are processed via a script in some cases. These scripts are not hardened so injected commands might be executed via the shell, which allows an attacker to perform operations, which they should not be able to do according to their assigned permissions.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS Evolved:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e24.2 versions before 24.2R2-S2-EVO,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue does not affect Junos OS Evolved versions earlier than 24.2R1-EVO.\u003c/p\u003e"
}
],
"value": "Multiple instances of an Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) \n\nvulnerability in the CLI of Juniper Networks Junos OS Evolved could be used to elevate privileges and/or execute unauthorized commands.\n\nWhen an attacker executes crafted CLI commands, the options are processed via a script in some cases. These scripts are not hardened so injected commands might be executed via the shell, which allows an attacker to perform operations, which they should not be able to do according to their assigned permissions.\n\nThis issue affects Junos OS Evolved:\n\n\n\n * 24.2 versions before 24.2R2-S2-EVO,\n * 24.4 versions before 24.4R2-EVO.\n\n\n\n\nThis issue does not affect Junos OS Evolved versions earlier than 24.2R1-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:Y/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T16:18:55.227Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103163"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\u003cbr\u003eJunos OS Evolved: 24.2R2-S2-EVO, 24.4R2-EVO, 25.2R1-EVO,\u0026nbsp;and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue:\nJunos OS Evolved: 24.2R2-S2-EVO, 24.4R2-EVO, 25.2R1-EVO,\u00a0and all subsequent releases."
}
],
"source": {
"advisory": "JSA103163",
"defect": [
"1870684"
],
"discovery": "INTERNAL"
},
"title": "Junos OS Evolved: OS command injection vulnerabilities fixed",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue.\u003cbr\u003eUse access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators. \u003cbr\u003e"
}
],
"value": "There are no known workarounds for this issue.\nUse access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-60006",
"datePublished": "2025-10-09T16:18:55.227Z",
"dateReserved": "2025-09-23T18:19:06.960Z",
"dateUpdated": "2025-10-10T03:55:26.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-60004 (GCVE-0-2025-60004)
Vulnerability from cvelistv5 – Published: 2025-10-09 16:18 – Updated: 2025-10-09 19:46
VLAI?
EPSS
Title
Junos OS and Junos OS Evolved: Specific BGP EVPN update message causes rpd crash
Summary
An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-Of-Service (DoS).
When an affected system receives a specific BGP EVPN update message over an established BGP session, this causes an rpd crash and restart.
A BGP EVPN configuration is not necessary to be vulnerable. If peers are not configured to send BGP EVPN updates to a vulnerable device, then this issue can't occur.
This issue affects iBGP and eBGP, over IPv4 and IPv6.
This issue affects:
Junos OS:
* 23.4 versions from
23.4R2-S3 before 23.4R2-S5,
* 24.2 versions from
24.2R2
before 24.2R2-S1,
* 24.4 versions before 24.4R1-S3, 24.4R2;
Junos OS Evolved:
* 23.4-EVO versions from 23.4R2-S2-EVO before 23.4R2-S5-EVO,
* 24.2-EVO versions from 24.2R2-EVO before 24.2R2-S1-EVO,
* 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
23.4R2-S3 , < 23.4R2-S5
(semver)
Affected: 24.2R2 , < 24.2R2-S1 (semver) Affected: 24.4R1 , < 24.4R1-S3, 24.4R2 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-60004",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T18:47:25.363001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:46:51.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.4R2-S5",
"status": "affected",
"version": "23.4R2-S3",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1",
"status": "affected",
"version": "24.2R2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3, 24.4R2",
"status": "affected",
"version": "24.4R1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.4R2-S5-EVO",
"status": "affected",
"version": "23.4R2-S2-EVO",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1-EVO",
"status": "affected",
"version": "24.2R2-EVO",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3-EVO, 24.4R2-EVO",
"status": "affected",
"version": "24.4R1-EVO",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To be exposed to this issue a BGP peering needs to be configured via:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[ protocols bgp ... neighbor ... ]\u003c/tt\u003e"
}
],
"value": "To be exposed to this issue a BGP peering needs to be configured via:\n\n[ protocols bgp ... neighbor ... ]"
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-Of-Service (DoS).\u003cbr\u003e\u003cbr\u003eWhen an affected system receives a specific BGP EVPN update message over an established BGP session, this causes an rpd crash and restart.\u003cbr\u003e\u003cbr\u003eA BGP EVPN configuration is not necessary to be vulnerable. If peers are not configured to send BGP EVPN updates to a vulnerable device, then this issue can\u0027t occur.\u003cbr\u003e\nThis issue affects iBGP and eBGP, over IPv4 and IPv6.\u003cbr\u003e\u003cbr\u003e\nThis issue affects:\u003cbr\u003eJunos OS:\u003cbr\u003e\u003cul\u003e\u003cli\u003e23.4 versions from \n\n23.4R2-S3 before\u0026nbsp;23.4R2-S5,\u003c/li\u003e\u003cli\u003e24.2 versions from \n\n24.2R2 \n\nbefore 24.2R2-S1,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R1-S3, 24.4R2;\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003eJunos OS Evolved:\u003cbr\u003e\u003cul\u003e\u003cli\u003e23.4-EVO versions from 23.4R2-S2-EVO before 23.4R2-S5-EVO,\u003c/li\u003e\u003cli\u003e24.2-EVO versions from 24.2R2-EVO before 24.2R2-S1-EVO,\u003c/li\u003e\u003cli\u003e24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.\n\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-Of-Service (DoS).\n\nWhen an affected system receives a specific BGP EVPN update message over an established BGP session, this causes an rpd crash and restart.\n\nA BGP EVPN configuration is not necessary to be vulnerable. If peers are not configured to send BGP EVPN updates to a vulnerable device, then this issue can\u0027t occur.\n\nThis issue affects iBGP and eBGP, over IPv4 and IPv6.\n\n\nThis issue affects:\nJunos OS:\n * 23.4 versions from \n\n23.4R2-S3 before\u00a023.4R2-S5,\n * 24.2 versions from \n\n24.2R2 \n\nbefore 24.2R2-S1,\n * 24.4 versions before 24.4R1-S3, 24.4R2;\n\n\n\nJunos OS Evolved:\n * 23.4-EVO versions from 23.4R2-S2-EVO before 23.4R2-S5-EVO,\n * 24.2-EVO versions from 24.2R2-EVO before 24.2R2-S1-EVO,\n * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/RE:M",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T16:18:27.118Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103165"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\u003cbr\u003eJunos OS Evolved: 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u0026nbsp;and all subsequent releases;\u003cbr\u003eJunos OS: 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue:\nJunos OS Evolved: 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u00a0and all subsequent releases;\nJunos OS: 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103165",
"defect": [
"1860302"
],
"discovery": "INTERNAL"
},
"title": "Junos OS and Junos OS Evolved: Specific BGP EVPN update message causes rpd crash",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-60004",
"datePublished": "2025-10-09T16:18:27.118Z",
"dateReserved": "2025-09-23T18:19:06.960Z",
"dateUpdated": "2025-10-09T19:46:51.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59967 (GCVE-0-2025-59967)
Vulnerability from cvelistv5 – Published: 2025-10-09 15:47 – Updated: 2025-10-09 16:11
VLAI?
EPSS
Title
Junos OS Evolved: ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509: When specific valid multicast traffic is received on the L3 interface on a vulnerable device evo-pfemand crashes and restarts
Summary
A NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 devices allows an unauthenticated, adjacent attacker to cause a
Denial-of-Service (DoS).
Whenever specific valid multicast traffic is received on any layer 3 interface the evo-pfemand process crashes and restarts.
Continued receipt of specific valid multicast traffic results in a sustained Denial of Service (DoS) attack.
This issue affects Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509:
* from 23.2R2-EVO before 23.2R2-S4-EVO,
* from 23.4R1-EVO before 23.4R2-EVO.
This issue affects IPv4 and IPv6.
This issue does not affect Junos OS Evolved ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 versions before 23.2R2-EVO.
Severity ?
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS Evolved |
Affected:
23.2R2-EVO , < 23.2R2-S4-EVO
(semver)
Affected: 23.4R1-EVO , < 23.4R2-EVO (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T16:10:54.290535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T16:11:02.135Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"evo-pfemand"
],
"platforms": [
"ACX7348",
"ACX7024",
"ACX7509",
"ACX7024X",
"ACX7100-32C",
"ACX7100-48L"
],
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.2R2-S4-EVO",
"status": "affected",
"version": "23.2R2-EVO",
"versionType": "semver"
},
{
"lessThan": "23.4R2-EVO",
"status": "affected",
"version": "23.4R1-EVO",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRequired Configuration for Exposure:\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003ctt\u003e\u0026nbsp; [ Interface \u201cinterface\u201d unit \u201cunit\u201d\nfamily inet\naddress \u201caddress\u201d ]\u003cbr\u003eor\u003cbr\u003e\u0026nbsp; [ Interface \u201cinterface\u201d unit \u201cunit\u201d\nfamily inet6 address \u201caddress\u201d ]\u003cbr\u003e\u003c/tt\u003e\u003cp\u003eThis issue does not require a multicast configuration to be set on the device.\u003cbr\u003e\u003c/p\u003e\u003ctt\u003e\u003c/tt\u003e"
}
],
"value": "Required Configuration for Exposure:\n\n\u00a0 [ Interface \u201cinterface\u201d unit \u201cunit\u201d\nfamily inet\naddress \u201caddress\u201d ]\nor\n\u00a0 [ Interface \u201cinterface\u201d unit \u201cunit\u201d\nfamily inet6 address \u201caddress\u201d ]\nThis issue does not require a multicast configuration to be set on the device."
}
],
"datePublic": "2025-10-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved on \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7024,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7024X,\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7100-32C,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7100-48L,\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7348,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7509 devices a\u003c/span\u003e\u003c/span\u003e\u003c/span\u003ellows an unauthenticated, adjacent attacker to cause a \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDenial-of-Service (DoS).\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eWhenever specific valid multicast traffic is received on any layer 3 interface the evo-pfemand process crashes and restarts.\u003cbr\u003e\u003cbr\u003eContinued receipt of specific valid multicast traffic\u003cspan style=\"background-color: rgb(251, 251, 251);\"\u003e\u0026nbsp;results in a sustained Denial of Service (DoS) attack. \u003cbr\u003e\u003c/span\u003e\u003cp\u003eThis issue affects Junos OS Evolved on \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7024, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7024X,\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7100-32C, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7100-48L, \u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7348, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7509:\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003efrom 23.2R2-EVO before 23.2R2-S4-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4R1-EVO before 23.4R2-EVO.\u003c/li\u003e\u003c/ul\u003eThis issue affects IPv4 and IPv6. \u003cbr\u003e\u003cbr\u003eThis issue does not affect Junos OS Evolved \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7024, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7024X,\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7100-32C, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7100-48L, \u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7348, \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACX7509\u0026nbsp;\u003c/span\u003e\u003c/span\u003e\u003c/span\u003eversions before 23.2R2-EVO.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved on ACX7024,\u00a0ACX7024X,\u00a0ACX7100-32C,\u00a0ACX7100-48L,\u00a0ACX7348,\u00a0ACX7509 devices allows an unauthenticated, adjacent attacker to cause a \n\nDenial-of-Service (DoS).\n\nWhenever specific valid multicast traffic is received on any layer 3 interface the evo-pfemand process crashes and restarts.\n\nContinued receipt of specific valid multicast traffic\u00a0results in a sustained Denial of Service (DoS) attack. \nThis issue affects Junos OS Evolved on ACX7024, ACX7024X,\u00a0ACX7100-32C, ACX7100-48L, ACX7348, ACX7509:\u00a0\n\n\n\n * from 23.2R2-EVO before 23.2R2-S4-EVO,\u00a0\n * from 23.4R1-EVO before 23.4R2-EVO.\n\n\nThis issue affects IPv4 and IPv6. \n\nThis issue does not affect Junos OS Evolved ACX7024, ACX7024X,\u00a0ACX7100-32C, ACX7100-48L, ACX7348, ACX7509\u00a0versions before 23.2R2-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T15:47:10.103Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA103156"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: \u003cbr\u003e\u003cbr\u003eJunos OS Evolved: 23.2R2-S4-EVO, 23.4R2-EVO, 24.2R1-EVO, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: \n\nJunos OS Evolved: 23.2R2-S4-EVO, 23.4R2-EVO, 24.2R1-EVO, and all subsequent releases."
}
],
"source": {
"advisory": "JSA103156",
"defect": [
"1807221"
],
"discovery": "USER"
},
"title": "Junos OS Evolved: ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509: When specific valid multicast traffic is received on the L3 interface on a vulnerable device evo-pfemand crashes and restarts",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue.\u003cbr\u003eTo reduce the risk of exploitation, enable access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted hosts.\u003cbr\u003e"
}
],
"value": "There are no known workarounds for this issue.\nTo reduce the risk of exploitation, enable access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted hosts."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-59967",
"datePublished": "2025-10-09T15:47:10.103Z",
"dateReserved": "2025-09-23T18:19:06.955Z",
"dateUpdated": "2025-10-09T16:11:02.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…