Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Green
Network-reachable and unauthenticated (AV:N/PR:N) but the trigger depends on events outside attacker control, so AC:H; impact is availability-only (A:H) with no confidentiality or integrity effect.
Primary rating from Vendor (juniper).
CVSS VectorVendor: juniper
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Green
Lifecycle Timeline
2DescriptionCVE.org
An Improper Check for Unusual or Exceptional Conditions vulnerability in the
advanced forwarding toolkit (evo-aftmand)
of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated network-based attacker generating continuous routing updates, resulting in unilist ECMP routes, to crash the
evo-aftmand process on the PFE, leading to a Denial-of-Service (DoS). The conditions required for successful exploitation are based on a sequence of events that are outside an attacker's direct control.
Unified list (unilist) ECMP routes are a specific ECMP behavior where multiple equal-cost routes share a single logical next-hop list entry. The router treats them as one route with multiple next hops and load balances traffic across that unified list. Due to an issue processing unilist ECMP routing updates, internal state corruption may occur, especially in large-scale ECMP unilist deployments, leading to the evo-aftmand process crashing, resulting in an evo-aftmand-bx core. Manual intervention is required to recover by rebooting the system or restarting the FPC.
This issue affects Junos OS Evolved on PTX :
- from 24.4R2-EVO before 24.4R2-S3-EVO;
- from 25.2 before 25.2R2-EVO.
Articles & Coverage 2
AnalysisAI
Denial-of-service in Juniper Junos OS Evolved on PTX Series routers lets an unauthenticated network attacker crash the advanced forwarding toolkit process (evo-aftmand) on the Packet Forwarding Engine by driving continuous routing updates that produce unified-list (unilist) ECMP routes. The resulting internal state corruption generates an evo-aftmand-bx core and halts forwarding, requiring a manual FPC restart or system reboot to recover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be a PTX Series router running Junos OS Evolved 24.4R2-EVO through pre-24.4R2-S3-EVO or 25.2 through pre-25.2R2-EVO, and the attacker must be able to generate continuous routing updates that cause the router to form unilist (unified-list) ECMP routes - the specific condition is the processing of unilist ECMP routing updates, most impactful in large-scale ECMP unilist deployments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a real but conditional availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned to influence routing state toward an exposed PTX core router (for example via a peering session or upstream route injection) generates continuous routing updates that repeatedly create and churn equal-cost paths, driving the router to build large-scale unilist ECMP next-hop structures. Under the right sequence of updates, evo-aftmand mishandles the exceptional condition, corrupts internal state, and cores on the PFE, dropping forwarding on that FPC until an operator manually restarts it. … |
| Remediation | Vendor-released patch: upgrade to Junos OS Evolved 24.4R2-S3-EVO or later on the 24.4 train, or 25.2R2-EVO or later on the 25.2 train, per Juniper advisory JSA110073 (https://supportportal.juniper.net/JSA110073). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all PTX Series routers running Junos OS Evolved and assess network criticality to business operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Junos Os Evolved
View allAn Improper Handling of Exceptional Conditions vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an
An Exposure of Resource to Wrong Sphere vulnerability in the sampling service of Juniper Networks Junos OS Evolved allow
An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protoc
A Missing Release of File Descriptor or Handle after Effective Lifetime vulnerability in plugable authentication module
An Unchecked Return Value vulnerability in the user interfaces to the Juniper Networks Junos OS and Junos OS Evolved, th
An OS Command Injection vulnerability in gRPC Network Operations Interface (gNOI) server module of Juniper Networks Juno
An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved a
An Out Of Bounds (OOB) access vulnerability in the handling of responses by a Juniper Agile License (JAL) Client in Juni
An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on
An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS all
A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos
An Allocation of Resources Without Limits or Throttling vulnerability in the kernel of Juniper Networks Junos OS Evolved
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42699
GHSA-978v-9chj-92p2