Juniper Junos OS Evolved vulnerabilities

CVE-2026-21902 [CRITICAL] CWE-732 CVE-2026-21902: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detecti An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal

CVE-2025-60003 [HIGH] CWE-126 CVE-2025-60003: A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS a A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will

CVE-2026-21911 [HIGH] CWE-682 CVE-2026-21911: An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage.

CVE-2026-21909 [HIGH] CWE-401 CVE-2026-21909: A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (r A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all avail

CVE-2026-21908 [HIGH] CWE-416 CVE-2026-21908: A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Junipe A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the proc

CVE-2026-21921 [HIGH] CWE-416 CVE-2026-21921: A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Jun A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-cap

CVE-2025-60011 [MEDIUM] CWE-754 CVE-2025-60011: An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices. When an affected device receives a specific optional, transitive BGP attribute over an

CVE-2025-59960 [MEDIUM] CWE-754 CVE-2025-59960: An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (j An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server. By default, the DHCP relay agent inserts i

CVE-2025-59959 [MEDIUM] CWE-822 CVE-2025-59959: An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Netwo An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS). When the command 'show route detail' is executed, and at least one of the routes in the intended output has specific attr

CVE-2025-59961 [MEDIUM] CWE-732 CVE-2025-59961: An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (j An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource. This vulnerability allows any low-privileged

CVE-2025-52961 [HIGH] CWE-400 CVE-2025-52961: An Uncontrolled Resource Consumption vulnerability in the Connectivity Fault Management (CFM) daemon An Uncontrolled Resource Consumption vulnerability in the Connectivity Fault Management (CFM) daemon and the Connectivity Fault Management Manager (cfmman) of Juniper Networks Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS). An attacker on

CVE-2025-59967 [HIGH] CWE-476 CVE-2025-59967: A NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Netwo A NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 devices allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS). Whenever specific valid multicast traffic is received on any layer 3 interfa

CVE-2025-60004 [HIGH] CWE-754 CVE-2025-60004: An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-Of-Service (DoS). When an affected system receives a specific BGP EVPN update message over an established BGP session, this cau

CVE-2025-60010 [MEDIUM] CWE-262 CVE-2025-60010: A password aging vulnerability in the RADIUS client of Juniper Networks Junos OS and Junos OS Evolve A password aging vulnerability in the RADIUS client of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated, network-based attacker to access the device without enforcing the required password change. Affected devices allow logins by users for whom the RADIUS server has responded with a reject and required the user to change the p

CVE-2025-59962 [MEDIUM] CWE-824 CVE-2025-59962: An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Net An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside the attacker's control, to cause rpd to crash and restart, leading to a Denial of Service (DoS). With

CVE-2025-59958 [MEDIUM] CWE-754 CVE-2025-59958: An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engin An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to cause impact to confidentiality and availability. When an output firewall filter is configured with one or more terms where the action is

CVE-2025-60006 [MEDIUM] CWE-78 CVE-2025-60006: Multiple instances of an Improper Neutralization of Special Elements used in an OS Command ('OS Comm Multiple instances of an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS Evolved could be used to elevate privileges and/or execute unauthorized commands. When an attacker executes crafted CLI commands, the options are processed via a script in some cas

CVE-2025-52955 [HIGH] CWE-131 CVE-2025-52955: An Incorrect Calculation of Buffer Size vulnerability in the routing protocol daemon (rpd) of Junipe An Incorrect Calculation of Buffer Size vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent unauthenticated attacker to cause a memory corruption that leads to a rpd crash. When the logical interface using a routing instance flaps continuously, specific updates are sent to the jflow

CVE-2025-52949 [HIGH] CWE-130 CVE-2025-52949: An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this p

CVE-2025-52984 [HIGH] CWE-476 CVE-2025-52984: A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Ju A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device. When static route points to a reject next hop and a gNMI query is processed for that static route, rpd crashes and restarts