CVE-2025-60007 in Junos OS
Summary
by MITRE • 01/15/2026
A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS).
When a user executes the 'show chassis' command with specifically crafted options, chassisd will crash and restart. Due to this all components but the Routing Engine (RE) in the chassis are reinitialized, which leads to a complete service outage, which the system automatically recovers from.
This issue affects:
Junos OS on MX, SRX and EX Series, except MX10000 Series and MX304:
* all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability described in CVE-2025-60007 represents a critical NULL pointer dereference flaw within the chassis daemon component of Juniper Networks Junos OS operating on MX, SRX, and EX Series devices. This issue manifests when a local attacker with minimal privileges executes the 'show chassis' command with specifically crafted parameters that trigger the daemon to attempt accessing a null memory reference. The exploitation process directly leads to a system crash of the chassisd process, resulting in an immediate denial-of-service condition that affects the entire chassis infrastructure.
The technical implementation of this vulnerability stems from inadequate input validation within the chassisd daemon's command processing logic. When the 'show chassis' command receives malformed or specially constructed arguments, the daemon fails to properly handle null pointer references during its internal processing routines. This failure pattern aligns with CWE-476, which categorizes NULL pointer dereference as a common weakness in software design. The daemon's inability to gracefully handle unexpected input parameters creates a condition where memory access violations occur, causing the process to terminate abruptly.
The operational impact of this vulnerability extends beyond simple service disruption as the chassisd daemon crash triggers a cascading failure across the chassis architecture. Upon system restart, all chassis components except the Routing Engine undergo complete reinitialization, creating a significant service outage that can last several minutes depending on the device configuration. This behavior demonstrates the interconnected nature of chassis components and how a single daemon failure can compromise the entire system availability. The automatic recovery mechanism, while providing resilience, introduces additional complexity as the system must reinitialize multiple hardware components simultaneously.
The affected product lines include various Junos OS versions across MX, SRX, and EX Series platforms, with specific version constraints indicating the vulnerability's persistence across multiple release branches. The timeline of affected versions suggests this flaw has existed for several release cycles, with the issue being addressed through multiple service pack releases. This pattern reflects common software development practices where vulnerabilities are identified and patched incrementally across different version streams. The exclusion of MX10000 and MX304 Series devices indicates that the vulnerability may be specific to certain hardware architectures or software configurations within the broader Junos OS ecosystem.
Mitigation strategies for this vulnerability should focus on immediate deployment of available patches and service packs that address the NULL pointer dereference condition. Network administrators should prioritize updating affected devices to versions 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S2, or 24.4R2, depending on their current software version. Additionally, implementing monitoring solutions to detect abnormal command execution patterns and establishing robust incident response procedures can help minimize the impact of potential exploitation attempts. The vulnerability's classification under ATT&CK technique T1499.004 for network denial-of-service indicates that this issue could potentially be leveraged as part of broader attack campaigns targeting network availability and operational resilience.