Introduction
A regression in Juniper's Junos OS 25.2 release train introduced a BGP input validation flaw that lets an adjacent, unauthenticated attacker reset an established BGP session with a single genuine packet, and sustain the disruption indefinitely through repeated transmission. For any organization that recently upgraded peering infrastructure to the 25.2 train, this vulnerability (CVE-2026-33797, CVSS v3.1: 7.4) directly threatens routing stability across both eBGP and iBGP adjacencies on IPv4 and IPv6.
Technical Information
Root Cause: Improper Input Validation in the BGP Processing Daemon
CVE-2026-33797 is classified under CWE-20 (Improper Input Validation). The flaw resides in the BGP processing daemon of both Junos OS and Junos OS Evolved. When a device running an affected version receives a specific genuine BGP packet from a peer within an already established BGP session, the daemon fails to properly validate the packet contents. This improper validation triggers a reset of that exact BGP session.
A critical detail here is that the triggering packet is described as "genuine," meaning it conforms to BGP protocol specifications well enough to be accepted by the session's TCP connection and passed to the BGP state machine. This is not a malformed packet attack that would be caught by basic sanity checks or perimeter filters. The packet is processed within the context of an authenticated, established BGP session, which means it arrives over an existing TCP port 179 connection that has already completed the BGP OPEN handshake.
The bug is a regression introduced specifically in the 25.2R1 release cycle. Versions prior to 25.2R1 (and 25.2R1-EVO for the Evolved platform) were never vulnerable. This narrow scope suggests the flaw was introduced during development of the 25.2 train, likely in a code path related to BGP UPDATE or attribute processing that was modified or added in that release.
Attack Requirements and Flow
Exploitation requires the following preconditions:
-
Adjacency: The attacker must be on an adjacent network segment (CVSS Attack Vector: Adjacent). This means the attacker needs to be a BGP peer or have the ability to inject traffic into an existing peering link.
-
Established BGP session: The target device must have an active, established BGP session with the attacker's system (or a system the attacker can influence). The vulnerable configuration is any BGP neighbor relationship configured under
[ protocols bgp group <group> neighbor ]. -
No authentication or privileges required: The attack requires no user interaction (UI:N) and no elevated privileges (PR:N) beyond the ability to send BGP packets within the established session.
The attack flow proceeds as follows:
-
The attacker establishes or leverages an existing BGP session with the target Junos OS 25.2 device. In many real world deployments, eBGP sessions with external peers or iBGP sessions with route reflectors would be viable targets.
-
The attacker sends a specific genuine BGP packet within the established session. The exact packet structure has not been publicly disclosed, but it is a valid BGP message that triggers the input validation flaw.
-
The target device's BGP daemon improperly processes the packet, resulting in an immediate reset of that specific BGP session.
-
To sustain the Denial of Service, the attacker waits for the BGP session to re-establish (which happens automatically in most configurations) and then sends the triggering packet again. This cycle of session establishment followed by immediate reset creates persistent routing churn and reachability loss on that adjacency.
Impact Characterization
The impact is strictly limited to availability. There is no confidentiality or integrity risk. However, the availability impact is rated High because sustained BGP session resets prevent route convergence and can cause cascading reachability problems depending on the role of the affected device in the routing topology.
The CVSS v3.1 vector string is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, yielding a base score of 7.4. The Scope is Changed (S:C), indicating that the impact extends beyond the vulnerable component itself, which makes sense given that a BGP session reset affects routing decisions on both sides of the peering relationship and potentially across the broader routing domain.
The CVSS v4.0 score is 7.1 with vector CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L.
Protocol and Address Family Scope
Both iBGP and eBGP sessions are affected. Both IPv4 and IPv6 peering sessions are in scope. This means the vulnerability is not limited to a specific address family or BGP deployment model; any BGP neighbor configuration on an affected version is exposed.
Patch Information
Juniper Networks addressed CVE-2026-33797 through official software releases published on April 8, 2026, as documented in advisory JSA107850. The fix corrects the input validation logic in the BGP packet processing path so that the specific genuine BGP packet that previously triggered a session reset is now properly handled.
The internal bug is tracked under PR1893316, visible via Juniper's customer support portal at prsearch.juniper.net.
The following patched releases contain the fix:
| Platform | Fixed Release(s) |
|---|---|
| Junos OS | 25.2R2, 25.4R1, and all subsequent releases |
| Junos OS Evolved | 25.2R2-EVO, 25.4R1-EVO, and all subsequent releases |
Juniper has confirmed there are no workarounds for this issue. Upgrading to a patched release is the only remediation path. Organizations should immediately inventory their routing infrastructure to identify any devices running the 25.2 or 25.2-EVO releases and schedule upgrades accordingly.
For vulnerability scanning, Nessus plugin 305584 (juniper_jsa107850.nasl), published on April 8, 2026, can detect vulnerable hosts by checking the self-reported Junos OS version number.
Detection Methods
Detecting CVE-2026-33797 requires a layered approach combining vulnerability scanning, configuration auditing, and real time behavioral monitoring.
Vulnerability Scanning with Nessus
Tenable has published Nessus plugin ID 305584 (file: juniper_jsa107850.nasl), released on April 8, 2026, under the "Junos Local Security Checks" family. This plugin performs a version based check against the device's self-reported Junos OS version by requiring the KB item Host/Juniper/JUNOS/Version. It maps directly to Juniper advisory JSA107850 and will flag any Junos OS 25.2 installations prior to 25.2R2 and Junos OS Evolved 25.2-EVO installations prior to 25.2R2-EVO. The plugin confirms exposure based on version number but does not detect active exploitation.
Configuration Exposure Verification
A device is vulnerable only if BGP neighbors are configured under [ protocols bgp group <group> neighbor ]. Administrators can verify exposure by running:
show configuration protocols bgp
All BGP peering configurations on the affected version range should be considered in scope, including both eBGP and iBGP sessions across IPv4 and IPv6.
BGP Session State Monitoring and Log Analysis
The most telling behavioral indicator of active exploitation is unexpected, repeated BGP session flapping. Juniper's BGP troubleshooting documentation recommends using show bgp summary to identify peer sessions that are not in the Established state or that show elevated flap counters. The "Flaps" column and "Last Up/Dwn" values in this output are critical. A peer that repeatedly goes down and comes back up in rapid succession warrants investigation.
To capture BGP state transitions in the system log, enable log-updown under [edit protocols bgp]. Once enabled, BGP state transition events are written to syslog, making it possible to correlate sudden session drops across multiple peers. Operators should look for BGP sessions transitioning from Established to Idle or Active without any corresponding maintenance window or configuration change. As noted in the Juniper BGP troubleshooting guide, "a neighbor state flip-flopping between Connect and Active is an indication that there is a problem."
For deeper packet level inspection, Juniper's BGP traceoptions facility allows detailed logging of all BGP protocol packets. Under [edit protocols bgp traceoptions], administrators can configure flags such as flag update detail, flag packets, or flag open detail to log sent and received BGP messages to a trace file, which can then be reviewed with show log <filename>.
Network Traffic Analysis
Since the attack vector is adjacent network (CVSS AV:A), IDS/IPS sensors and packet capture tools positioned to observe BGP traffic (TCP port 179) between peers can be used to look for anomalous patterns. Captured traffic can be inspected for unusual BGP UPDATE messages arriving just before session resets occur. While no public exploit signature or specific packet pattern has been disclosed for this CVE, correlating packet captures with syslog timestamps of BGP resets can help confirm exploitation.
Summary of Detection Indicators
In the absence of public exploit code or published IDS signatures specific to CVE-2026-33797, detection relies primarily on: (1) version based scanning using Nessus plugin 305584, (2) verifying the presence of the required BGP configuration, (3) monitoring for anomalous BGP session resets via syslog and show bgp summary, and (4) leveraging BGP traceoptions and packet captures for deeper investigation when session instability is detected on affected 25.2 releases.
Affected Systems and Versions
The vulnerability has a narrow scope, affecting only the 25.2 release train:
| Product | Affected Versions | Not Affected |
|---|---|---|
| Junos OS | 25.2 versions before 25.2R2 | All versions before 25.2R1 |
| Junos OS Evolved | 25.2-EVO versions before 25.2R2-EVO | All versions before 25.2R1-EVO |
The vulnerable configuration is any BGP neighbor relationship configured under [ protocols bgp group <group> neighbor ]. Both eBGP and iBGP sessions are affected. Both IPv4 and IPv6 peering sessions are in scope.
Devices running older release trains (such as 24.x or earlier) are not affected and do not require emergency patching for this specific CVE.
Vendor Security History
Juniper Networks has experienced several notable security events that provide context for the urgency of patching CVE-2026-33797.
In December 2015, an analysis of Juniper ScreenOS firmware revealed unauthorized code that created a backdoor, allowing attackers to bypass authentication and passively decrypt VPN traffic. This incident highlighted the risks associated with network infrastructure compromise.
More recently, multiple vulnerabilities in Juniper Junos OS affecting the J-Web interface (CVE-2023-36844 and CVE-2023-36845) were heavily targeted by threat actors. These 2023 vulnerabilities were officially listed by CISA as top routinely exploited vulnerabilities in their 2023 advisory. This history demonstrates that threat actors actively analyze and exploit Juniper network infrastructure.
On July 2, 2025, Juniper Networks was acquired by Hewlett Packard Enterprise (HPE) and transitioned into HPE Networking. Organizations seeking support for CVE-2026-33797 should ensure their support contracts and portals are properly mapped to current HPE Networking processes.
As of April 10, 2026, there are no public reports of CVE-2026-33797 being actively exploited in the wild. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog. However, given the historical pattern of Juniper vulnerability exploitation, proactive remediation remains the prudent course of action.
References
- NVD: CVE-2026-33797
- CVE Record: CVE-2026-33797
- Juniper KB: JSA107850
- Juniper Support Portal: 2026-04 Security Bulletin
- Tenable: CVE-2026-33797
- Tenable Nessus Plugin 305584
- Tenable: CVE-2026-33797 Plugins
- Feedly CVE Tracking: CVE-2026-33797
- Juniper BGP Troubleshooting Documentation
- Juniper KB: BGP PREFIX SID ATTR MALFORMED
- CISA Known Exploited Vulnerabilities Catalog
- CISA: 2023 Top Routinely Exploited Vulnerabilities
- Juniper Networks (Wikipedia)
