Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Primary rating from Vendor (juniper) · only source for this CVE.
CVSS VectorVendor: juniper
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Lifecycle Timeline
4DescriptionCVE.org
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.
On MX platforms with
MPC10, MPC11, LC4800 or LC9600
line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance.
An affected configuration would be:
user@host
show configuration interfaces lo0 | display set
set interfaces lo0 unit 1 family inet filter input <filter-name>
where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI.
The issue can be observed with the CLI command:
user@device> show firewall counter filter <filter_name>
not showing any matches.
This issue affects Junos OS on MX Series:
- all versions before 23.2R2-S6,
- 23.4 versions before 23.4R2-S7,
- 24.2 versions before 24.2R2,
- 24.4 versions before 24.4R2.
AnalysisAI
Firewall filter bypass in Juniper Networks Junos OS on MX Series allows unauthenticated network-based attackers to access the control plane by exploiting improper exception handling in the packet forwarding engine when firewall filters are applied to non-zero loopback interfaces in the default routing instance. Affected MX platforms with MPC10, MPC11, LC4800, LC9600 line cards and MX304 models running Junos OS versions before 23.2R2-S6, 23.4R2-S7, 24.2R2, or 24.4R2 fail to enforce configured lo0.n ingress filters, allowing bypass of access controls designed to protect critical infrastructure management interfaces. No public exploit identified at time of analysis, but the vulnerability requires only network access and no authentication to trigger.
Technical ContextAI
The vulnerability exists in Juniper's packet forwarding engine (pfe) on MX Series routers, which handles L3 packet processing and firewall filter enforcement. The root cause is an improper exception condition check (CWE-754) in the filter execution logic for loopback interfaces operating in the default routing instance. Loopback interfaces (lo0) serve as management and routing protocol endpoints on enterprise routers; when a non-zero subinterface (lo0.n) is configured with an ingress firewall filter but is not explicitly bound to a non-default routing-instance, the pfe fails to execute the filter rules during packet processing. This is specific to line card architectures MPC10, MPC11, LC4800, and LC9600, plus the MX304 platform. The affected CPE would be cpe:2.3:o:juniper:junos:*:*:*:*:*:mx:* with constraints on line card type and loopback interface configuration in default VRF.
RemediationAI
Organizations must upgrade to patched versions: Junos OS 23.2R2-S6 or later for 23.2.x, 23.4R2-S7 or later for 23.4.x, 24.2R2 or later for 24.2.x, or 24.4R2 or later for 24.4.x. As an interim workaround before patching, explicitly bind non-zero loopback interface units to a non-default routing-instance configuration, which will force the pfe to execute configured firewall filters. Alternatively, apply the firewall filter to lo0.0 (the default loopback unit) or to egress filters instead of ingress filters on the affected lo0.n subinterfaces. Verify filter enforcement using the CLI command 'show firewall counter filter <filter-name>' after reconfiguration to confirm that packet matches are being logged. Complete patching should be prioritized as workarounds do not address the underlying engine defect. Consult https://kb.juniper.net/JSA107865 for detailed upgrade procedures and configuration examples.
named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fe
named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
A Missing Release of Memory after Effective Lifetime vulnerability in the kernel of Juniper Networks Junos OS allows an
An Uncontrolled Memory Allocation vulnerability leading to a Heap-based Buffer Overflow in the packet forwarding engine
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21195
GHSA-3p5v-chx4-4483