CVE-2025-21602 in Junos OS
Summary
by MITRE • 01/09/2025
An Improper Handling of Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a specific BGP update packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS).
Continuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.
This issue affects iBGP and eBGP, and both IPv4 and IPv6 are affected by this vulnerability.
This issue affects Junos OS:
* from 21.4 before 21.4R3-S9, * from 22.2 before 22.2R3-S5, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2;
This issue does not affect versions prior to 21.1R1.
Junos OS Evolved:
* from 21.4 before 21.4R3-S9-EVO, * from 22.2 before 22.2R3-S5-EVO, * from 22.3 before 22.3R3-S4-EVO, * from 22.4 before 22.4R3-S5-EVO, * from 23.2 before 23.2R2-S3-EVO, * from 23.4 before 23.4R2-S3-EVO, * from 24.2 before 24.2R1-S2-EVO, 24.2R2-EVO.
This issue does not affect versions prior to 21.1R1-EVO
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability described in CVE-2025-21602 represents a critical weakness in the routing protocol daemon rpd of Juniper Networks Junos OS and Junos OS Evolved systems. This issue falls under the category of improper handling of exceptional conditions, which is classified as CWE-754 in the Common Weakness Enumeration framework. The flaw manifests when the rpd process encounters a specifically crafted BGP update packet, leading to an uncontrolled crash and subsequent restart of the routing daemon. This behavior creates a direct path to denial of service conditions that can be exploited by adjacent attackers without requiring authentication credentials.
The technical implementation of this vulnerability involves the rpd daemon's insufficient error handling mechanisms when processing certain BGP update messages. The affected protocols include both internal BGP (iBGP) and external BGP (eBGP) configurations, with the vulnerability affecting both IPv4 and IPv6 address families. This broad scope increases the potential attack surface significantly, as the exploit can target various network topologies and routing configurations. The vulnerability specifically impacts the routing protocol daemon's ability to gracefully handle malformed or unexpected BGP update packets, causing the daemon to enter an unstable state that results in system restart.
The operational impact of this vulnerability extends beyond simple service disruption to create sustained denial of service conditions when attackers continuously send the malicious BGP update packets. This persistent nature of the attack means that network operators must not only respond to initial disruptions but also maintain continuous monitoring and recovery efforts. The affected versions span multiple release branches of Junos OS and Junos OS Evolved, indicating a widespread exposure across different network infrastructure deployments. The vulnerability affects systems from version 21.4 through 24.2, with specific patch releases required to address the issue in each affected branch, making the remediation process complex for network administrators managing multiple device versions.
Network security professionals should consider this vulnerability in relation to the ATT&CK framework's privilege escalation and denial of service tactics, as the issue allows an adjacent attacker to cause system instability without requiring elevated privileges. The exploitability of this vulnerability through adjacent network access aligns with ATT&CK technique T1499.004, which covers network disruption through manipulation of routing protocols. Organizations should implement immediate mitigations including network segmentation to limit adjacent access to BGP peers, deployment of BGP update filtering mechanisms, and implementation of monitoring solutions to detect unusual BGP update patterns. The vulnerability's presence in multiple versions suggests that network administrators should prioritize patching efforts across their entire infrastructure, particularly focusing on the most recent affected branches to ensure complete protection against this specific threat vector.
The remediation approach for CVE-2025-21602 requires careful coordination of software updates across all affected Junos OS and Junos OS Evolved devices. Network operators must verify their current system versions against the patched release schedules provided by Juniper Networks, ensuring that all devices within their network infrastructure receive the appropriate security updates. This vulnerability demonstrates the critical importance of maintaining current security patches for routing protocols, as these systems form the backbone of network connectivity and stability. The issue also highlights the necessity of implementing robust network monitoring solutions that can detect and alert on anomalous BGP update behaviors, providing early warning capabilities that complement the patch-based remediation efforts. Organizations should conduct thorough testing of patch deployments in their network environments to ensure that the security updates do not introduce compatibility issues or unintended side effects in their routing configurations.