Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Lifecycle Timeline
7DescriptionCVE.org
A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS).
If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn't restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured.
This issue affects Junos OS Evolved on PTX Series:
- all versions before 22.4R3-S9-EVO,
- 23.2 versions before 23.2R2-S6-EVO,
- 23.4 versions before 23.4R2-S7-EVO,
- 24.2 versions before 24.2R2-S4-EVO,
- 24.4 versions before 24.4R2-S2-EVO,
- 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO.
AnalysisAI
Complete persistent denial of service in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated, low-privilege network attackers to crash the evo-aftmand service with no automatic recovery. The vulnerability triggers when PCEP-provisioned colored SRTE policy tunnels with 32-bit ASN values (greater than 65,535) in the Originator ASN field are monitored via gRPC, causing permanent forwarding plane failure until manual system restart. Affects multiple versions through 25.2 release train. No public exploit identified at time of analysis.
Technical ContextAI
Root cause is incorrect argument type handling (CWE-686) in sensor interface between gRPC monitoring subsystem and PCEP-based SRTE tunnel provisioning. Function call fails when processing 32-bit ASN values instead of expected 16-bit range, causing unhandled exception in evo-aftmand daemon. Static SRTE configuration bypasses vulnerable code path. CPE: cpe:2.3:o:juniper:junos_os_evolved:*:*:*:*:*:*:*:* on PTX hardware.
RemediationAI
Vendor-released patches: upgrade to Junos OS Evolved 22.4R3-S9-EVO, 23.2R2-S6-EVO, 23.4R2-S7-EVO, 24.2R2-S4-EVO, 24.4R2-S2-EVO, 25.2R1-S2-EVO, or 25.2R2-EVO depending on deployment branch. Workaround for systems unable to patch immediately: disable gRPC-based monitoring for colored SRTE policy tunnels, or migrate SRTE policies from PCEP-based provisioning to static configuration which bypasses vulnerable sensor interface. Restrict PCEP session establishment to trusted PCE controllers only. Full technical details and vendor advisory: https://kb.juniper.net/JSA107870. Note this vulnerability requires authenticated access with low privileges and specific PCEP/gRPC configuration overlap; EPSS data shows low observed exploitation activity.
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r
A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
Same weakness CWE-686 – Function Call With Incorrect Argument Type
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21201
GHSA-q83c-r2qf-fvp6