CVE-2025-60004 in Junos OS
Summary
by MITRE • 10/09/2025
An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-Of-Service (DoS).
When an affected system receives a specific BGP EVPN update message over an established BGP session, this causes an rpd crash and restart.
A BGP EVPN configuration is not necessary to be vulnerable. If peers are not configured to send BGP EVPN updates to a vulnerable device, then this issue can't occur.
This issue affects iBGP and eBGP, over IPv4 and IPv6.
This issue affects: Junos OS: * 23.4 versions from
23.4R2-S3 before 23.4R2-S5, * 24.2 versions from
24.2R2
before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2;
Junos OS Evolved: * 23.4-EVO versions from 23.4R2-S2-EVO before 23.4R2-S5-EVO, * 24.2-EVO versions from 24.2R2-EVO before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/09/2025
The vulnerability described in CVE-2025-60004 represents a critical improper check for unusual or exceptional conditions within the routing protocol daemon rpd of Juniper Networks Junos OS and Junos OS Evolved systems. This flaw manifests as a denial-of-service condition that can be triggered by unauthenticated network-based attackers without requiring any specific configuration to be present on the target device. The vulnerability specifically targets the BGP EVPN update message processing functionality, where an attacker can send a specially crafted message over an established BGP session to cause the rpd process to crash and restart. According to the CWE taxonomy, this corresponds to CWE-252, which describes an improper check for unusual or exceptional conditions, and aligns with ATT&CK technique T1499.100 for network denial-of-service attacks. The vulnerability demonstrates a fundamental failure in input validation and error handling within the routing daemon's processing pipeline.
The technical implementation of this vulnerability stems from insufficient validation of BGP EVPN update messages received by the rpd daemon. When a vulnerable system processes a specific malformed or unexpected BGP EVPN update, the routing daemon fails to properly handle the exceptional condition and instead crashes, leading to a complete service disruption. The crash occurs regardless of whether the device has BGP EVPN configuration enabled, as the vulnerability exists in the basic message processing logic of the rpd daemon. This affects both internal BGP (iBGP) and external BGP (eBGP) sessions, and operates across both IPv4 and IPv6 address families, making the attack surface particularly broad. The vulnerability requires only that a BGP session be established with the target device, and that the peer be configured to send BGP EVPN updates, which is a common practice in enterprise networks. The specific versions affected include multiple release streams across the 23.4, 24.2, and 24.4 branches of both standard Junos OS and Junos OS Evolved platforms, indicating this is a widespread issue affecting several major release lines.
The operational impact of CVE-2025-60004 is severe and can result in complete disruption of network routing services, potentially affecting large portions of an organization's network infrastructure. When the rpd daemon crashes and restarts, it causes the device to lose its routing information and temporarily become unable to forward traffic, leading to widespread network outages. The vulnerability can be exploited by attackers from outside the network perimeter since it requires only an established BGP session, which may be exposed to external peers in many enterprise environments. The restart of the rpd process creates a cascading effect where routing tables are rebuilt, potentially causing temporary network instability and traffic disruption. Network administrators face significant operational challenges when dealing with this vulnerability, as the attack can occur without any authentication requirements and can be automated, making it particularly dangerous in environments where BGP sessions are not properly secured or monitored.
Mitigation strategies for CVE-2025-60004 should focus on both immediate defensive measures and long-term remediation. The primary recommended action is to upgrade affected systems to patched versions of Junos OS or Junos OS Evolved, as provided by Juniper Networks. Organizations should also implement network segmentation and access control measures to limit BGP session establishment to trusted peers only, reducing the attack surface. Network monitoring should be enhanced to detect unusual BGP update patterns that may indicate exploitation attempts, and automated alerting systems should be configured to notify administrators of rpd restart events. Additional defensive measures include implementing BGP session authentication mechanisms, such as MD5 authentication, and configuring BGP policies to filter and validate EVPN update messages before they reach the routing daemon. According to industry best practices and ATT&CK framework recommendations, organizations should also conduct regular vulnerability assessments and maintain up-to-date network security monitoring to detect and respond to similar threats. The vulnerability underscores the importance of robust input validation and error handling in critical network infrastructure components, and serves as a reminder of the need for comprehensive security testing throughout the software development lifecycle.