Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Lifecycle Timeline
7DescriptionCVE.org
An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane.
When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover.
This issue can be monitored by checking for mgd processes in lockf state in the output of 'show system processes extensive':
user@host> show system processes extensive | match mgd <pid> root 20 0 501M 4640K lockf 1 0:01 0.00% mgd
If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won't invoke mgd), mgd processes in this state can be killed with 'request system process terminate <PID>' from the CLI or with 'kill -9 <PID>' from the shell.
This issue affects:
Junos OS:
- 23.4 versions before 23.4R2-S4,
- 24.2 versions before 24.2R2-S1,
- 24.4 versions before 24.4R1-S3, 24.4R2;
This issue does not affect Junos OS versions before 23.4R1;
Junos OS Evolved:
- 23.4 versions before 23.4R2-S5-EVO,
- 24.2 versions before 24.2R2-S1-EVO,
- 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.
This issue does not affect Junos OS Evolved versions before 23.4R1-EVO;
AnalysisAI
Management daemon deadlock in Juniper Networks Junos OS 23.4-24.4 and Junos OS Evolved enables network-based authenticated attackers to trigger complete management plane denial-of-service via rapid NETCONF session cycling. Vulnerability causes mgd processes to hang in lockf state, exhausting process pool and preventing administrative logins. Recovery requires device power-cycle. Affects deployments using NETCONF management interface with authenticated remote users. No public exploit identified at time of analysis.
Technical ContextAI
Root cause: CWE-821 Incorrect Synchronization in mgd process handling of concurrent NETCONF session establishment/teardown. Race condition prevents proper lock release, accumulating zombie processes in lockf state. Observed via 'show system processes extensive' revealing mgd threads blocked on file system locking primitives. Exploitation requires PR:L (authenticated low-privilege user) invoking NETCONF protocol handlers repeatedly.
RemediationAI
Vendor-released patch: Upgrade to Junos OS 23.4R2-S4, 24.2R2-S1, 24.4R1-S3, or 24.4R2 (or later stable releases). For Junos OS Evolved: upgrade to 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, or 24.4R2-EVO. Interim workaround: Terminate hung mgd processes using 'request system process terminate <PID>' from CLI or 'kill -9 <PID>' from root shell when system remains accessible. Restrict NETCONF access to trusted management networks via firewall ACLs or disable NETCONF if not operationally required. Monitor mgd process state via 'show system processes extensive | match mgd' for lockf indicators. Complete advisory and affected version matrix: https://kb.juniper.net/JSA106019
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r
A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
Same weakness CWE-821 – Incorrect Synchronization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21082
GHSA-qv89-vxpv-h7vc