Juniper Junos OS Evolved vulnerabilities

CVE-2025-52988 [HIGH] CWE-78 CVE-2025-52988: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulner An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root. When a user provides specifically crafted arguments to the 'request system logout' command, these will b

CVE-2025-52954 [HIGH] CWE-862 CVE-2025-52954: A Missing Authorization vulnerability in the internal virtual routing and forwarding (VRF) of Junipe A Missing Authorization vulnerability in the internal virtual routing and forwarding (VRF) of Juniper Networks Junos OS Evolved allows a local, low-privileged user to gain root privileges, leading to a system compromise. Any low-privileged user with the capability to send packets over the internal VRF can execute arbitrary Junos commands and modify t

CVE-2025-52964 [HIGH] CWE-617 CVE-2025-52964: A Reachable Assertion vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos O A Reachable Assertion vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When the device receives a specific BGP UPDATE packet, the rpd crashes and restarts. Continuous receipt of this specific packet will cause a su

CVE-2025-52946 [HIGH] CVE-2025-52946: A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS cond

CVE-2025-52953 [HIGH] CWE-440 CVE-2025-52953: An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Network An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS). Continuous receipt and processing of this packet will create a sustained

CVE-2025-52986 [MEDIUM] CWE-401 CVE-2025-52986: A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (r A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device. When RIB sharding is enabled and a user executes one of several routing related 'show' commands, a certain

CVE-2025-52958 [MEDIUM] CWE-617 CVE-2025-52958: A Reachable Assertion vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos O A Reachable Assertion vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).On all Junos OS and Junos OS Evolved devices, when route validation is enabled, a rare condition during BGP initial session establishment can lead t

CVE-2025-52989 [MEDIUM] CWE-140 CVE-2025-52989: An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Ju An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to modify the system configuration. A user with limited configuration and commit permissions, using a specifically crafted annotate configuration command, can change any part

CVE-2025-52985 [MEDIUM] CWE-480 CVE-2025-52985: A Use of Incorrect Operator vulnerability in the Routing Engine firewall of Juniper Networks Junos A Use of Incorrect Operator vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions. When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more

CVE-2025-30648 [HIGH] CWE-20 CVE-2025-30648: An Improper Input Validation vulnerability in the Juniper DHCP Daemon (jdhcpd) of Juniper Networks J An Improper Input Validation vulnerability in the Juniper DHCP Daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause the jdhcpd process to crash resulting in a Denial of Service (DoS). When a specifically malformed DHCP packet is received from a DHCP client, the jdhcpd process crashes,

CVE-2025-30646 [HIGH] CWE-195 CVE-2025-30646: A Signed to Unsigned Conversion Error vulnerability in the Layer 2 Control Protocol daemon (l2cpd) o A Signed to Unsigned Conversion Error vulnerability in the Layer 2 Control Protocol daemon (l2cpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated adjacent attacker sending a specifically malformed LLDP TLV to cause the l2cpd process to crash and restart, causing a Denial of Service (DoS). Continued receipt

CVE-2025-21595 [HIGH] CWE-401 CVE-2025-21595: A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine ( A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause an FPC to crash, leading to Denial of Service (DoS). On all Junos OS and Junos OS Evolved platforms, in an EVPN-VXLAN scenario, when specific A

CVE-2025-30651 [HIGH] CWE-805 CVE-2025-30651: A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Ju A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When an attacker sends a specific ICMPv6 packet to an interface with "protocols router-advertisement" configured, rpd cras

CVE-2025-21597 [MEDIUM] CWE-754 CVE-2025-21597: An Improper Check for Unusual or Exceptional Conditions vulnerability in routing protocol daemon (rp An Improper Check for Unusual or Exceptional Conditions vulnerability in routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer to cause Denial of Service (DoS). On all Junos OS and Junos OS Evolved platforms, when BGP rib-sharding and update-threading are configured, a

CVE-2025-30653 [MEDIUM] CWE-825 CVE-2025-30653: An Expired Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Ju An Expired Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).On all Junos OS and Junos OS Evolved platforms, when an MPLS Label-Switched Path (LSP) is configured with node-link-protection and transport-clas

CVE-2025-30654 [MEDIUM] CWE-200 CVE-2025-30654: An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the User Interface (U An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged, authenticated attacker with access to the CLI to access sensitive information. Through the execution of a specific show mgd command, a user with limited permissions

CVE-2025-30655 [MEDIUM] CWE-754 CVE-2025-30655: An Improper Check for Unusual or Exceptional Conditions vulnerability in the Routing Protocol Daemon An Improper Check for Unusual or Exceptional Conditions vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to cause a Denial-of-Service (DoS). When a specific "show bgp neighbor" CLI command is run, the rpd cpu utilization rises and eventually causes a crash a

CVE-2025-30652 [MEDIUM] CWE-755 CVE-2025-30652: An Improper Handling of Exceptional Conditions vulnerability in routing protocol daemon (rpd) of Jun An Improper Handling of Exceptional Conditions vulnerability in routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker executing a CLI command to cause a Denial of Service (DoS). When asregex-optimized is configured and a specific "show route as-path" CLI command is executed, the rpd

CVE-2024-39564 [HIGH] CVE-2024-39564: This is a similar, but different vulnerability than the issue reported as CVE-2024-39549. A double- This is a similar, but different vulnerability than the issue reported as CVE-2024-39549. A double-free vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker to send a malformed BGP Path attribute update which allocates memory used to log the bad path attribute. This double free of memory is ca

CVE-2025-21598 [HIGH] CWE-125 CVE-2025-21598: An Out-of-bounds Read vulnerability in Juniper Networks Junos OS and Junos OS Evolved's routing prot An Out-of-bounds Read vulnerability in Juniper Networks Junos OS and Junos OS Evolved's routing protocol daemon (rpd) allows an unauthenticated, network-based attacker to send malformed BGP packets to a device configured with packet receive trace options enabled to crash rpd. This issue affects: Junos OS: * from 21.2R3-S8 before 21.2R3-S9, * from 2