Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
AC:H reflects that rollover requires sustained high-volume failed negotiations; A:H reflects mandatory reboot to restore service, not limited degradation.
Primary rating from Vendor (juniper).
CVSS VectorVendor: juniper
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Use of Multiple Resources with Duplicate Identifier vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX with SPC3 and SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
On an MX with SPC3 and SRX devices configured for VPN service, when a large number of VPN negotiations fail a peer index rollover will eventually occur. As a result, new peers are assigned index values that are already in use and the iked process starts to crash repeatedly. This results in failure to establish new VPN connections and rekeying existing ones. To restore service the system must be rebooted. Please note that the index value can't be monitored, so customers should monitor tunnel up and down events and if a lot of events occur over an extended period of time it becomes likely that this issue occurs.
To be exposed to this issue the system needs to run iked (vs. kmd which is not affected), which can be verified with:
user@host> show system processes extensive | match "KMD|IKED" This issue affects Junos OS on MX with SPC3, SRX Series:
- all versions before 23.2R2-S7,
- 23.4 versions before 23.4R2-S6,
- 24.2 versions before 24.2R2-S3,
- 24.4 versions before 24.4R2-S4,
- 25.2 versions before 25.2R1-S1.
AnalysisAI
Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that assigns duplicate index values to new peers, triggering continuous iked process crashes and a full VPN service outage requiring system reboot. Unauthenticated network-based attackers can deliberately flood the device with failing VPN negotiations to accelerate the rollover condition. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the target device must be a Juniper MX with SPC3 or SRX Series running Junos OS in a vulnerable version range; (2) the device must be configured for VPN service with the iked process active - operators can confirm this with 'show system processes extensive | match IKED'; and (3) a large number of VPN negotiation failures must occur, either organically (misconfigured peers over time) or induced by an attacker flooding the device with rejected IKE attempts over an extended period. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) uses Availability:Low, which appears understated given that recovery explicitly requires a full system reboot - not merely restarting a process. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the internet sends a sustained flood of malformed or intentionally rejected IKE negotiation attempts to UDP/500 on an internet-facing SRX or MX-SPC3 gateway running iked. Over an extended period, the volume of failed negotiations exhausts the peer index pool, causing a rollover. … |
| Remediation | Upgrade to a fixed Junos OS release: 23.2R2-S7 or later, 23.4R2-S6 or later, 24.2R2-S3 or later, 24.4R2-S4 or later, or 25.2R1-S1 or later, per the Juniper advisory at https://supportportal.juniper.net/JSA110084. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated
Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthen
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls l
Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exh
Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low
Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t
Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauth
Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t
Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta
Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a loc
Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally au
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42712
GHSA-m4xf-x7w2-qgfq