CVE-2025-30645 Overview
A NULL Pointer Dereference vulnerability exists in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series firewalls. This vulnerability allows an unauthenticated attacker to send specific, valid control traffic through a Dual-Stack (DS) Lite tunnel, causing the flowd process to crash with a segmentation fault. The resulting Denial of Service (DoS) condition causes network outages until the flowd process automatically restarts. Continuous exploitation of this vulnerability can create a sustained DoS condition, severely impacting network availability.
Critical Impact
Unauthenticated remote attackers can cause persistent network outages on Juniper SRX Series firewalls by repeatedly triggering flowd process crashes through maliciously crafted DS-Lite tunnel traffic.
Affected Products
- Juniper Junos OS on SRX Series (all versions before 21.2R3-S9)
- Juniper Junos OS on SRX Series (from 21.4 before 21.4R3-S9)
- Juniper Junos OS on SRX Series (from 22.2 before 22.2R3-S5)
- Juniper Junos OS on SRX Series (from 22.4 before 22.4R3-S6)
- Juniper Junos OS on SRX Series (from 23.2 before 23.2R2-S3)
- Juniper Junos OS on SRX Series (from 23.4 before 23.4R2)
- Affected hardware: SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800
Discovery Timeline
- April 9, 2025 - CVE-2025-30645 published to NVD
- January 26, 2026 - Last updated in NVD database
Technical Details for CVE-2025-30645
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory safety issue that occurs when the flowd process attempts to dereference a pointer that has not been properly initialized or has been set to NULL. The flowd daemon is a critical component in Juniper SRX Series firewalls responsible for managing packet flow processing and stateful inspection.
When specific, valid control traffic needs to be transmitted through a DS-Lite (Dual-Stack Lite) tunnel, the flowd process fails to properly validate pointer references before use. DS-Lite is an IPv6 transition technology that encapsulates IPv4 traffic within IPv6 packets, allowing IPv4-only applications to function over IPv6-only networks. The vulnerability is triggered during the processing of control traffic destined for DS-Lite tunnel egress, where improper pointer handling leads to a segmentation fault.
The impact is significant as the flowd process crash results in immediate network disruption. While the process will automatically restart, an attacker can continuously send the triggering traffic to maintain a persistent DoS condition, effectively rendering the firewall non-functional.
Root Cause
The root cause is a NULL pointer dereference in the flowd daemon's DS-Lite tunnel processing logic. When handling outbound control traffic destined for a DS-Lite tunnel, the code path fails to verify that a critical pointer is valid before attempting to use it. This results in a segmentation fault when the process attempts to read or write to memory address 0x0 (NULL), causing immediate process termination.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker must be able to send network traffic that will be processed by the SRX firewall and routed through a configured DS-Lite tunnel. The attack exploits the following conditions:
- The target SRX Series firewall must have DS-Lite tunnel configuration active
- The attacker sends specific control traffic that triggers the vulnerable code path
- When the flowd process attempts to send this traffic out of the DS-Lite tunnel, the NULL pointer dereference occurs
- The flowd process crashes, causing network connectivity loss until restart
The attack can be sustained by continuously triggering the vulnerability, preventing the firewall from maintaining stable operation.
Detection Methods for CVE-2025-30645
Indicators of Compromise
- Unexpected flowd process crashes or restarts visible in system logs
- Repeated segmentation fault entries in /var/log/messages associated with the flowd daemon
- Intermittent network connectivity issues correlating with DS-Lite tunnel traffic patterns
- High frequency of flowd core dump files generated in system diagnostics
Detection Strategies
- Monitor Junos OS system logs for flowd process crash events using show system processes extensive | match flowd
- Implement SNMP traps for process restart notifications on SRX Series devices
- Use Junos Space or other network management tools to alert on abnormal process behavior
- Deploy network traffic analysis to identify unusual control traffic patterns destined for DS-Lite tunnels
Monitoring Recommendations
- Enable enhanced logging for the flow daemon to capture crash details and potential attack indicators
- Configure syslog forwarding to centralized SIEM platforms for correlation and alerting
- Establish baseline metrics for flowd process stability to detect anomalous restart patterns
- Implement automated alerting when flowd crash frequency exceeds normal operational thresholds
How to Mitigate CVE-2025-30645
Immediate Actions Required
- Identify all SRX Series firewalls running vulnerable Junos OS versions in your environment
- Prioritize patching for devices with active DS-Lite tunnel configurations
- Review network architecture to limit exposure of SRX devices to untrusted traffic sources
- Implement rate limiting or access controls on interfaces handling DS-Lite tunnel traffic where feasible
Patch Information
Juniper Networks has released security updates addressing this vulnerability. Upgrade to the following fixed versions based on your current release train:
- For versions before 21.2: Upgrade to 21.2R3-S9 or later
- For 21.4 versions: Upgrade to 21.4R3-S9 or later
- For 22.2 versions: Upgrade to 22.2R3-S5 or later
- For 22.4 versions: Upgrade to 22.4R3-S6 or later
- For 23.2 versions: Upgrade to 23.2R2-S3 or later
- For 23.4 versions: Upgrade to 23.4R2 or later
For complete patch details and download information, refer to the Juniper Security Advisory JSA96455.
Workarounds
- If DS-Lite functionality is not required, consider disabling DS-Lite tunnel configuration until patching can be completed
- Implement strict access control lists to limit sources that can send traffic processed through DS-Lite tunnels
- Deploy redundant firewall configurations to maintain network availability during potential exploitation attempts
- Consider implementing out-of-band management access to maintain device control during DoS conditions
# Verify current Junos OS version
show version
# Check for DS-Lite configuration
show configuration services softwire
# Monitor flowd process status
show system processes extensive | match flowd
# Review system logs for crash events
show log messages | match flowd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
