Introduction
A single malformed BGP EVPN update can disrupt routing across a service provider or enterprise backbone, causing outages and traffic loss. CVE-2025-60004 highlights a critical flaw in Juniper Networks Junos OS and Junos OS Evolved, where the routing protocol daemon (rpd) can be crashed remotely by an unauthenticated attacker with BGP access. This post provides a brief summary of the vulnerability, affected versions, technical mechanism, and detection strategies.
About Juniper Networks: Juniper is a major networking vendor whose Junos OS and Junos OS Evolved power routers and switches in global service provider, data center, and enterprise environments. Their platforms are integral to the operation of internet backbones, cloud networks, and large enterprise WANs.
Technical Information
CVE-2025-60004 is classified as an improper check for unusual or exceptional conditions (CWE-754) in the routing protocol daemon (rpd) of Junos OS and Junos OS Evolved. When a vulnerable system receives a specially crafted BGP EVPN update message over an established BGP session, rpd crashes and restarts. This results in a denial of service, as all routing protocol sessions are dropped and must be re-established. The issue is not limited to systems with explicit BGP EVPN configuration; any device capable of receiving BGP EVPN updates from peers is potentially vulnerable. Both iBGP and eBGP sessions over IPv4 and IPv6 are affected. The root cause is insufficient validation or error handling in the EVPN update message parsing logic within rpd. No public code snippets or proof of concept are available for this issue.
Detection Methods
Detecting vulnerabilities in Juniper Junos OS, such as the one referenced in advisory JSA103165, involves a combination of automated scanning tools and manual verification processes.
Automated Scanning with Nessus:
Tenable's Nessus vulnerability scanner includes a specific plugin (ID 269727) designed to identify the presence of the vulnerability described in JSA103165. This plugin operates by:
-
Version Verification: It checks the version of Junos OS installed on the target device. If the version matches those known to be vulnerable, the plugin flags the system as potentially affected.
-
Configuration Assessment: The plugin may also assess specific configurations or settings that could indicate susceptibility to the vulnerability.
It's important to note that Nessus relies on the self-reported version information from the device and does not exploit the vulnerability during the scan. Therefore, while it can identify potential vulnerabilities, it cannot confirm their exploitability.
Manual Verification:
In addition to automated scanning, manual verification steps are recommended:
- Review System Logs: Examine system logs for any unusual activity or error messages that could suggest exploitation attempts.
- Monitor Network Traffic: Analyze network traffic for patterns or anomalies that may indicate an attack targeting the specific vulnerability.
- Consult Vendor Documentation: Refer to Juniper's official documentation and advisories to understand the vulnerability's specifics and recommended detection methods.
Indicators of Compromise (IoCs):
While specific IoCs for this vulnerability are not detailed in the available sources, general signs of exploitation may include:
- Unexpected system reboots or crashes.
- Unusual spikes in network traffic.
- Unauthorized configuration changes.
Monitoring Guidance:
To effectively monitor for potential exploitation:
- Implement Intrusion Detection Systems (IDS): Deploy IDS solutions that can detect known attack signatures related to Junos OS vulnerabilities.
- Regularly Update Signatures: Ensure that IDS and other security tools have up-to-date signatures to recognize the latest threats.
- Conduct Regular Vulnerability Scans: Schedule periodic scans using tools like Nessus to identify and address vulnerabilities promptly.
By combining automated tools with manual monitoring and staying informed through vendor advisories, organizations can enhance their detection capabilities against vulnerabilities in Junos OS.
References for Detection:
Affected Systems and Versions
The following Juniper products and versions are affected:
Junos OS:
- 23.4 versions from 23.4R2-S3 before 23.4R2-S5
- 24.2 versions from 24.2R2 before 24.2R2-S1
- 24.4 versions before 24.4R1-S3 and 24.4R2
Junos OS Evolved:
- 23.4-EVO versions from 23.4R2-S2-EVO before 23.4R2-S5-EVO
- 24.2-EVO versions from 24.2R2-EVO before 24.2R2-S1-EVO
- 24.4-EVO versions before 24.4R1-S3-EVO and 24.4R2-EVO
Vulnerability Exposure:
- Devices do not require BGP EVPN configuration to be vulnerable. Exposure exists if BGP peers can send EVPN updates to the device.
- Both iBGP and eBGP over IPv4 and IPv6 are affected.
Vendor Security History
Juniper Networks has a history of BGP and EVPN-related vulnerabilities, such as CVE-2025-52949 and CVE-2025-52958, both involving rpd crashes on malformed BGP messages. The vendor typically issues timely advisories and coordinates with security vendors for detection plugin updates. Juniper maintains a dedicated security advisory portal and regularly updates customers on patch availability and mitigation guidance.
