Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Unauthenticated network-reachable packet triggers a crash with no user interaction (AV:N/AC:L/PR:N/UI:N); only availability is affected (A:H) with no confidentiality or integrity loss.
Primary rating from Vendor (juniper).
CVSS VectorVendor: juniper
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Lifecycle Timeline
6DescriptionCVE.org
An Improper Validation of Specified Quantity in Input vulnerability in the TCP proxy plugin of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated, network-based attacker to cause a complete Denial of Service (DoS).
When TCP proxy is engaged in a flow session, to support ALGs, Advanced Anti-Malware, ICAP or UTM, a TCP packet with specifically malformed TCP header will cause flow processing daemon (flowd) to crash and restart. This causes a complete service outage until the system has automatically recovered.
This issue affects Junos OS on MX with SPC3, and SRX Series:
- 23.4 versions before 23.4R2-S7,
- 24.2 versions before 24.2R2-S4,
- 24.4 versions before 24.4R2-S3,
- 25.2 versions before 25.2R2.
This issue does not affect releases before 23.4R1.
Articles & Coverage 2
AnalysisAI
Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Junos TCP proxy be actively engaged in the target flow session, which occurs only when the device is configured for one of ALG (Application Layer Gateway), Advanced Anti-Malware (AAMW/ATP), ICAP redirect, or UTM inspection - if none of these L7 services touch the traffic, TCP proxy is not inserted and the flaw is not reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 8.7 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:N and impact confined to availability (VA:H, SA:L) - no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on any network path to an SRX or MX/SPC3 firewall that is inspecting traffic with UTM, AAMW, ICAP, or an ALG sends a single TCP packet crafted with a malformed header field into a proxied session. flowd fails validation and crashes, dropping all flow-based forwarding until it automatically restarts, and the attacker can repeat the packet to sustain the outage. … |
| Remediation | Vendor-released patch: upgrade to Junos OS 23.4R2-S7, 24.2R2-S4, 24.4R2-S3, 25.2R2, or any later release per Juniper advisory JSA110083 (https://supportportal.juniper.net/JSA110083). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all MX/SRX devices running Junos OS; check current version numbers; enable enhanced logging for TCP anomalies and flowd daemon activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls l
Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exh
Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low
Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t
Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauth
Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t
Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that ass
Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta
Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a loc
Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally au
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42711
GHSA-8p3c-wvj4-2gqc