Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Lifecycle Timeline
4DescriptionCVE.org
An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks.
When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked.
This issue affects Junos OS on EX Series and QFX Series:
- 23.4 version 23.4R2-S6,
- 24.2 version 24.2R2-S3.
No other Junos OS versions are affected.
AnalysisAI
Packet forwarding engine (pfe) in Juniper Networks Junos OS on EX4100, EX4400, EX4650, and QFX5120 devices fails to correctly initialize egress filters on IRB and physical interfaces, allowing unauthenticated network-based attackers to bypass security policies and cause integrity impact by forwarding traffic that should be blocked. The vulnerability affects Junos OS versions 23.4R2-S6 and 24.2R2-S3. EPSS score of 6.9 reflects moderate exploitation probability; no active exploitation confirmed (non-KEV status).
Technical ContextAI
The vulnerability exists in the packet forwarding engine's (pfe) filter application logic on specific EX Series (campus Ethernet switches) and QFX Series (core routing platforms) devices. When identical inet or inet6 family filters are configured as egress policies on both an Integrated Routing and Bridging (IRB) interface and a physical interface on the same device, the filter initialization routine fails to apply both filters correctly-only one is enforced. This is classified as CWE-1419 (Incorrect Initialization with Hard-Coded Network Resource Configuration Values), indicating a fundamental resource initialization flaw in the forwarding pipeline. The affected CPE is cpe:2.3:a:juniper_networks:junos_os:*:*:*:*:*:*:*:*, though only specific hardware SKUs (EX4100, EX4400, EX4650, QFX5120) and OS versions exhibit the defect.
RemediationAI
Juniper has released patches for both affected branches: upgrade to Junos OS version 23.4R2-S7 or later for the 23.4 line, or upgrade to version 24.2R2-S4 or later for the 24.2 line. The fundamental fix corrects the packet forwarding engine's filter initialization routine to properly apply egress filters on both IRB and physical interfaces simultaneously. Until patching is possible, operators can mitigate by: (1) applying the same egress filter only on the physical interface (not on the IRB), or (2) ensuring that firewall policy enforcement is redundant at upstream network boundaries or at Layer 3 policy enforcement points. Consult Juniper advisory JSA107815 for the exact patch versions, detailed upgrade procedures, and confirmation that your device hardware SKU is addressed by the released patches.
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r
A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21085