Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:Amber
Lifecycle Timeline
6DescriptionCVE.org
A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved
as root.
This issue affects systems running Junos OS using Linux-based line cards. Affected line cards include:
- MPC7, MPC8, MPC9, MPC10, MPC11
- LC2101, LC2103
- LC480, LC4800, LC9600
- MX304 (built-in FPC)
- MX-SPC3
- SRX5K-SPC3
- EX9200-40XS
- FPC3-PTX-U2, FPC3-PTX-U3
- FPC3-SFF-PTX
- LC1101, LC1102, LC1104, LC1105
This issue affects Junos OS:
- all versions before 22.4R3-S8,
- from 23.2 before 23.2R2-S6,
- from 23.4 before 23.4R2-S6,
- from 24.2 before 24.2R2-S3,
- from 24.4 before 24.4R2,
- from 25.2 before 25.2R2.
AnalysisAI
Privilege escalation in Juniper Networks Junos OS allows high-privileged local attackers to gain root access on Linux-based line cards running Junos OS Evolved. Missing authentication in critical command processing functions enables authenticated administrators with elevated privileges to bypass access controls and execute commands as root on affected hardware modules including MPC7-11, LC2101/2103, LC480/4800/9600, MX304 built-in FPC, MX-SPC3, SRX5K-SPC3, EX9200-40XS, and PTX-series line cards. No public exploit identified at time of analysis.
Technical ContextAI
CWE-306 authentication bypass in command processing subsystem permits privileged local users to interact with Linux-based forwarding plane cards without proper credential verification. Attack requires local access vector with high privileges (CVSS PR:H), exploiting missing authentication controls in inter-process communication channels between control plane (Junos OS) and data plane components (Junos OS Evolved on line cards).
RemediationAI
Vendor-released patches: upgrade to Junos OS 22.4R3-S8, 23.2R2-S6, 23.4R2-S6, 24.2R2-S3, 24.4R2, or 25.2R2 depending on active release train. Prioritize systems with affected Linux-based line cards listed in affected products. Implement least-privilege access controls to limit high-privilege local account usage until patching completes. Monitor administrative session logs for anomalous command execution on forwarding plane components. Apply role-based access restrictions to reduce attack surface from privileged accounts. Official advisory: https://supportportal.juniper.net/JSA107863 and https://kb.juniper.net/JSA107863. Security research context: https://github.com/orangecertcc/security-research/security/advisories/GHSA-fwhc-gh5m-v8fq
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r
A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209320