CVE-2025-21599

Published Jan 9, 2025

Last updated a month ago

CVSS high 8.7

Overview

Description
A Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to cause Denial of Service.  Receipt of specifically malformed IPv6 packets, destined to the device, causes kernel memory to not be freed, resulting in memory exhaustion leading to a system crash and Denial of Service (DoS). Continuous receipt and processing of these packets will continue to exhaust kernel memory, creating a sustained Denial of Service (DoS) condition. This issue only affects systems configured with IPv6. This issue affects Junos OS Evolved:  * from 22.4-EVO before 22.4R3-S5-EVO,  * from 23.2-EVO before 23.2R2-S2-EVO,  * from 23.4-EVO before 23.4R2-S2-EVO,  * from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 22.4R1-EVO.
Source
sirt@juniper.net
NVD status
Analyzed
Products
junos_os_evolved

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

sirt@juniper.net
CWE-401

Social media

Hype score
Not currently trending

  1. ⚠️⚠️ CVE-2025-21598 & CVE-2025-21599 Unauthenticated Attackers Can Exploit Junos Vulnerabilities 🎯5.9k+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA Link:https://t.co/EKURLi3JmC FOFA Query:app="JUNIPer-JUNOS" 🔖Refer: https://t.co/q6GarNOQZA #OSI

    @fofabot

    14 Jan 2025

    1930 Impressions

    12 Retweets

    29 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨Alert🚨 CVE-2025-21598 & CVE-2025-21599: Unauthenticated Attackers Can Exploit Junos Vulnerabilities 📊 4.1K+ Services are found on https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/pbKIT4UimN 👇Query HUNTER :/product.name="Juniper JUNOS" FOFA : product="JUNIPer-JU

    @HunterMapping

    14 Jan 2025

    1665 Impressions

    8 Retweets

    22 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  3. Juniper Networksの「Junos OS」と「Junos OS Evolved」における2つの重大な脆弱性は、未認証の攻撃者によって悪用される可能性があり、Juniper Networksは即座にパッチを適用することを強く推奨しています。 CVE-2025-21598 https://t.co/sCTxymawNh CVE-2025-21599 https://t.co/ZFyRGhMzXR

    @t_nihonmatsu

    14 Jan 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Unauthenticated Attackers Can Exploit Junos Vulnerabilities (CVE-2025-21598 & CVE-2025-21599) https://t.co/4nbS66dVjM

    @Dinosn

    14 Jan 2025

    2482 Impressions

    8 Retweets

    23 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-21599: HIGH] Vulnerability in Juniper Tunnel Driver (jtd) of Junos OS Evolved allows unauthenticated attackers to cause Denial of Service via specifically malformed IPv6 packets. Patch available.#cybersecurity,#vulnerability https://t.co/lHgos2H4me https://t.co/0o1cePfY

    @CveFindCom

    9 Jan 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-21599 A Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated n… https://t.co/LNrJbwSFvK

    @CVEnew

    9 Jan 2025

    347 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered. This issue affects:  Junos OS:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO.CVE-2026-21921
  2. An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage. When the issue is seen, the following log message will be generated: op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP, This issue affects Junos OS Evolved:  * all versions before 21.4R3-S7-EVO,  * from 22.2 before 22.2R3-S4-EVO,  * from 22.3 before 22.3R3-S3-EVO,  * from 22.4 before 22.4R3-S2-EVO,  * from 23.2 before 23.2R2-S1-EVO,  * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.CVE-2026-21911
  3. A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the 'show task memory detail' command. For example: user@junos> show task memory detail | match ted-infra   TED-INFRA-COOKIE           25   1072     28   1184     229 user@junos> show task memory detail | match ted-infra   TED-INFRA-COOKIE           31   1360     34   1472     307 This issue affects: Junos OS:  * from 23.2 before 23.2R2,  * from 23.4 before 23.4R1-S2, 23.4R2,  * from 24.1 before 24.1R2;  Junos OS Evolved:  * from 23.2 before 23.2R2-EVO,  * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO,  * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.CVE-2026-21909
  4. A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS:  * from 23.2R2-S1 before 23.2R2-S5,  * from 23.4R2 before 23.4R2-S6,  * from 24.2 before 24.2R2-S3,  * from 24.4 before 24.4R2-S1,  * from 25.2 before 25.2R1-S2, 25.2R2;  Junos OS Evolved:  * from 23.2R2-S1 before 23.2R2-S5-EVO,  * from 23.4R2 before 23.4R2-S6-EVO,  * from 24.2 before 24.2R2-S3-EVO,  * from 24.4 before 24.4R2-S1-EVO,  * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO.CVE-2026-21908
  5. An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices. When an affected device receives a specific optional, transitive BGP attribute over an existing BGP session, it will be erroneously modified before propagation to peers. When the attribute is detected as malformed by the peers, these peers will most likely terminate the BGP sessions with the affected devices and thereby cause an availability impact due to the resulting routing churn. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5 * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved:  * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO.CVE-2025-60011

References

Sources include official advisories and independent security research.