Junos Os
Monthly
Certificate chain validation bypass in Juniper Junos OS J-Web on SRX Series enables person-in-the-middle attackers to intercept Security Director cloud communications, exposing credentials and sensitive data. All SRX devices connecting to SD cloud fail to properly verify server certificates, allowing interception of authentication material and configuration data. Affects Junos OS versions across all branches prior to 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S2, and 25.2R1-S2/25.2R2. No public exploit identified at time of analysis. Network-positioned attacker with high complexity required (CVSS AC:H).
Memory exhaustion in Juniper Networks Junos OS BroadBand Edge subscriber management daemon (bbe-smgd) on MX Series allows adjacent unauthenticated attackers to trigger persistent denial of service by sending authentication packets that do not match configured packet-type options. Each mismatched packet leaks memory, eventually consuming all available daemon heap memory and preventing new subscriber logins. Authentication packet-type configuration must be active for exploitation. No public exploit identified at time of analysis.
Memory leak in Juniper Networks Junos OS jdhcpd daemon enables adjacent unauthenticated attackers to crash DHCP services on MX Series routers. Each DHCPv6 subscriber logout in PPPoE or VLAN configurations with active/bulk lease query leaks memory, eventually exhausting resources and triggering jdhcpd crash. Service remains unavailable until process restart completes. Affects all Junos OS versions before 22.4R3-S1, 23.2 versions before 23.2R2, and 23.4 versions before 23.4R2. No public exploit identified at time of analysis.
Memory leak in Juniper Networks l2ald daemon allows adjacent attackers to crash Layer 2 services on EVPN-MPLS networks. Affects Junos OS and Junos OS Evolved across multiple versions. Unauthenticated attackers on the same network segment can trigger resource exhaustion by causing ESI route churn from multi-homed Provider Edge devices, forcing l2ald process crash and restart. No public exploit identified at time of analysis, but exploitation requires only network adjacency without authentication.
Packet forwarding engine (pfe) in Juniper Networks Junos OS on EX4100, EX4400, EX4650, and QFX5120 devices fails to correctly initialize egress filters on IRB and physical interfaces, allowing unauthenticated network-based attackers to bypass security policies and cause integrity impact by forwarding traffic that should be blocked. The vulnerability affects Junos OS versions 23.4R2-S6 and 24.2R2-S3. EPSS score of 6.9 reflects moderate exploitation probability; no active exploitation confirmed (non-KEV status).
Denial of service in Juniper Junos OS chassis control daemon (chassisd) on SRX1600, SRX2300, and SRX4300 devices allows local attackers with low privileges to trigger a complete crash via a specific 'show chassis' CLI command, causing temporary traffic disruption until module recovery. Junos OS 24.4 versions before 24.4R1-S3 and 24.4R2 are affected; no public exploit code identified at time of analysis.
Symbolic link manipulation in Juniper Networks Junos OS CLI enables authenticated local attackers with low privileges to escalate to root access. Exploitation requires two users: the first performs a 'file link ...' CLI operation, then after the second user commits unrelated configuration changes, the first user can authenticate as root, achieving full system compromise. Affects Junos OS versions across 23.2, 23.4, 24.2, 24.4, and 25.2 release trains prior to specified patch levels. No public exploit identified at time of analysis.
Management daemon deadlock in Juniper Networks Junos OS 23.4-24.4 and Junos OS Evolved enables network-based authenticated attackers to trigger complete management plane denial-of-service via rapid NETCONF session cycling. Vulnerability causes mgd processes to hang in lockf state, exhausting process pool and preventing administrative logins. Recovery requires device power-cycle. Affects deployments using NETCONF management interface with authenticated remote users. No public exploit identified at time of analysis.
Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.
Certificate chain validation bypass in Juniper Junos OS J-Web on SRX Series enables person-in-the-middle attackers to intercept Security Director cloud communications, exposing credentials and sensitive data. All SRX devices connecting to SD cloud fail to properly verify server certificates, allowing interception of authentication material and configuration data. Affects Junos OS versions across all branches prior to 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S2, and 25.2R1-S2/25.2R2. No public exploit identified at time of analysis. Network-positioned attacker with high complexity required (CVSS AC:H).
Memory exhaustion in Juniper Networks Junos OS BroadBand Edge subscriber management daemon (bbe-smgd) on MX Series allows adjacent unauthenticated attackers to trigger persistent denial of service by sending authentication packets that do not match configured packet-type options. Each mismatched packet leaks memory, eventually consuming all available daemon heap memory and preventing new subscriber logins. Authentication packet-type configuration must be active for exploitation. No public exploit identified at time of analysis.
Memory leak in Juniper Networks Junos OS jdhcpd daemon enables adjacent unauthenticated attackers to crash DHCP services on MX Series routers. Each DHCPv6 subscriber logout in PPPoE or VLAN configurations with active/bulk lease query leaks memory, eventually exhausting resources and triggering jdhcpd crash. Service remains unavailable until process restart completes. Affects all Junos OS versions before 22.4R3-S1, 23.2 versions before 23.2R2, and 23.4 versions before 23.4R2. No public exploit identified at time of analysis.
Memory leak in Juniper Networks l2ald daemon allows adjacent attackers to crash Layer 2 services on EVPN-MPLS networks. Affects Junos OS and Junos OS Evolved across multiple versions. Unauthenticated attackers on the same network segment can trigger resource exhaustion by causing ESI route churn from multi-homed Provider Edge devices, forcing l2ald process crash and restart. No public exploit identified at time of analysis, but exploitation requires only network adjacency without authentication.
Packet forwarding engine (pfe) in Juniper Networks Junos OS on EX4100, EX4400, EX4650, and QFX5120 devices fails to correctly initialize egress filters on IRB and physical interfaces, allowing unauthenticated network-based attackers to bypass security policies and cause integrity impact by forwarding traffic that should be blocked. The vulnerability affects Junos OS versions 23.4R2-S6 and 24.2R2-S3. EPSS score of 6.9 reflects moderate exploitation probability; no active exploitation confirmed (non-KEV status).
Denial of service in Juniper Junos OS chassis control daemon (chassisd) on SRX1600, SRX2300, and SRX4300 devices allows local attackers with low privileges to trigger a complete crash via a specific 'show chassis' CLI command, causing temporary traffic disruption until module recovery. Junos OS 24.4 versions before 24.4R1-S3 and 24.4R2 are affected; no public exploit code identified at time of analysis.
Symbolic link manipulation in Juniper Networks Junos OS CLI enables authenticated local attackers with low privileges to escalate to root access. Exploitation requires two users: the first performs a 'file link ...' CLI operation, then after the second user commits unrelated configuration changes, the first user can authenticate as root, achieving full system compromise. Affects Junos OS versions across 23.2, 23.4, 24.2, 24.4, and 25.2 release trains prior to specified patch levels. No public exploit identified at time of analysis.
Management daemon deadlock in Juniper Networks Junos OS 23.4-24.4 and Junos OS Evolved enables network-based authenticated attackers to trigger complete management plane denial-of-service via rapid NETCONF session cycling. Vulnerability causes mgd processes to hang in lockf state, exhausting process pool and preventing administrative logins. Recovery requires device power-cycle. Affects deployments using NETCONF management interface with authenticated remote users. No public exploit identified at time of analysis.
Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.