EUVD-2025-209396
GHSA-qr7g-rj69-5948
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber
Lifecycle Timeline
3Description
A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition. This issue affects Junos OS Evolved PTX Series: * All versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R2-EVO. This issue affects Junos OS Evolved on QFX5000 Series: * 22.2-EVO version before 22.2R3-S7-EVO, * 22.4-EVO version before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO.
Analysis
Unauthenticated buffer overflow in Juniper Networks Junos OS Evolved advanced forwarding toolkit (evo-aftmand/evo-pfemand) permits adjacent attackers to crash PTX Series and QFX5000 Series devices via crafted multicast packets. Exploitation triggers line card or device restart, sustaining denial of service under continuous attack. Affects multiple Junos OS Evolved release branches before patched versions. No public exploit identified at time of analysis. Attack requires adjacent network access but no authentication, making exploitation feasible in shared network segments.
Technical Context
Classic buffer overflow (CWE-120) in forwarding plane management daemons processes oversized multicast packets without bounds checking. Affects advanced forwarding toolkit components responsible for packet processing on PTX/QFX5000 hardware. CVSS 4.0 vector confirms unauthenticated adjacent vector (AV:A/PR:N) with high availability impact (VA:H) and subsequent system impact (SA:L).
Affected Products
Juniper Networks Junos OS Evolved on PTX Series: all versions before 22.4R3-S8-EVO, 23.2 before 23.2R2-S5-EVO, 23.4 before 23.4R2-EVO, 24.2 before 24.2R2-EVO, 24.4 before 24.4R2-EVO. QFX5000 Series: 22.2-EVO before 22.2R3-S7-EVO, 22.4-EVO before 22.4R3-S7-EVO, 23.2-EVO before 23.2R2-S4-EVO, 23.4-EVO before 23.4R2-S5-EVO, 24.2-EVO before 24.2R2-S1-EVO, 24.4-EVO before 24.4R1-S3-EVO/24.4R2-EVO. CPEs: cpe:2.3:a:juniper_networks:junos_os_evolved.
Remediation
Vendor-released patches: upgrade PTX Series to 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-EVO, 24.2R2-EVO, or 24.4R2-EVO depending on deployment branch. Upgrade QFX5000 Series to 22.2R3-S7-EVO, 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, or 24.4R2-EVO. QFX5000 versions before 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO confirmed unaffected. As workaround prior to patching, implement strict adjacent network access controls and multicast traffic filtering to limit attacker exposure. Complete remediation guidance and affected version matrices available in vendor security advisory: https://kb.juniper.net/JSA103159
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today