CVE-2025-30648 Overview
CVE-2025-30648 is an Improper Input Validation vulnerability [CWE-20] in the Juniper DHCP Daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated, adjacent attacker can send a malformed DHCP packet to crash the jdhcpd process, resulting in a sustained Denial of Service (DoS) condition on the DHCP service. The issue triggers only when dhcp-security is enabled. The process restarts automatically, but repeated exploitation enables continuous service disruption. Juniper published advisory JSA96458 detailing affected releases and fixes.
Critical Impact
An adjacent attacker on the same broadcast domain can repeatedly crash the jdhcpd daemon by sending crafted DHCP client packets, breaking DHCP address assignment for downstream clients.
Affected Products
- Juniper Junos OS: all versions before 21.2R3-S9; 21.4 before 21.4R3-S10; 22.2 before 22.2R3-S6; 22.4 before 22.4R3-S6; 23.2 before 23.2R2-S3; 23.4 before 23.4R2-S4; 24.2 before 24.2R2
- Juniper Junos OS Evolved: 22.4 before 22.4R3-S6-EVO; 23.2 before 23.2R2-S3-EVO; 23.4 before 23.4R2-S4-EVO; 24.2 before 24.2R2-EVO
- Devices with dhcp-security configuration enabled
Discovery Timeline
- 2025-04-09 - CVE-2025-30648 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-30648
Vulnerability Analysis
The vulnerability resides in jdhcpd, the Junos process responsible for handling DHCP relay, server, and DHCP snooping/security functions. When dhcp-security is enabled, jdhcpd inspects and validates inbound DHCP client traffic against snooping bindings and security policies. A specifically malformed DHCP packet causes the parsing logic to fault, terminating the daemon. While Junos restarts jdhcpd automatically, the restart window leaves DHCP unavailable for that period, and a continuous packet stream sustains the outage. Networks relying on jdhcpd for client address assignment, option-82 handling, or DHCPv6 services lose connectivity for newly arriving clients during the crash loop.
Root Cause
The root cause is improper input validation [CWE-20] in the DHCP packet parsing path inside jdhcpd. The daemon fails to enforce structural or length constraints on attacker-controlled fields within a DHCP client message before referencing them, leading to a process-terminating fault. Only configurations with dhcp-security enabled exercise the vulnerable code path.
Attack Vector
Exploitation requires adjacent network access, meaning the attacker must be on the same Layer 2 segment or DHCP relay path as the targeted Junos device. No authentication or user interaction is needed. The attacker emits a crafted DHCP client packet (for example a malformed DISCOVER, REQUEST, or DHCPv6 message) toward an interface where dhcp-security is applied. Each delivered packet triggers a jdhcpd crash. Looping the transmission produces a persistent denial of service against DHCP clients served by the device.
No public proof-of-concept or in-the-wild exploitation has been reported for CVE-2025-30648. Refer to the Juniper Security Advisory JSA96458 for vendor technical details.
Detection Methods for CVE-2025-30648
Indicators of Compromise
- Repeated jdhcpd process crashes or restarts logged in Junos system logs (/var/log/messages, /var/log/chassisd).
- Sudden spikes in DHCP DISCOVER/REQUEST failures and client address renewal errors across access ports.
- Core files generated by jdhcpd under /var/crash/ shortly after malformed DHCP traffic is received.
Detection Strategies
- Monitor for the syslog event JDHCPD_CRASH or generic SYSTEM daemon-restart messages tied to jdhcpd and alert on frequency above baseline.
- Inspect DHCP packet captures at access-layer switches for malformed options, oversized fields, or non-RFC-compliant client messages preceding outages.
- Correlate Junos chassis daemon restart events with concurrent DHCP client failure reports in the access network.
Monitoring Recommendations
- Forward Junos syslog and structured telemetry to a centralized SIEM or data lake to track jdhcpd lifecycle events over time.
- Track DHCP service availability with synthetic clients on each VLAN where dhcp-security is enabled.
- Baseline normal DHCP message volumes per interface and alert on anomalous bursts from a single MAC or port.
How to Mitigate CVE-2025-30648
Immediate Actions Required
- Identify all Junos OS and Junos OS Evolved devices with dhcp-security enabled and prioritize them for patching.
- Upgrade to a fixed release listed in JSA96458: Junos OS 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R2, or later; Junos OS Evolved 22.4R3-S6-EVO, 23.2R2-S3-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, or later.
- Restrict Layer 2 access to trusted devices and enforce port security on access switches feeding the affected Junos devices.
Patch Information
Juniper Networks has released fixed software in the versions listed above. The official remediation is documented in Juniper Security Advisory JSA96458. Apply the relevant fixed release for your hardware platform and train.
Workarounds
- If patching is not immediately possible and the feature is not required, disable dhcp-security to remove the vulnerable code path from execution.
- Limit which interfaces process DHCP client traffic by tightening DHCP snooping trust boundaries and access lists at the network edge.
- Apply storm control and DHCP rate-limiting on access ports to reduce the rate at which malformed packets reach jdhcpd.
# Verify Junos software version and dhcp-security status
show version
show configuration forwarding-options dhcp-relay dhcp-security
# Upgrade to a fixed release (example for Junos OS)
request system software add /var/tmp/junos-install-mx-x86-64-23.4R2-S4.tgz no-validate reboot
# Temporary workaround: remove dhcp-security if not required
configure
delete forwarding-options dhcp-relay dhcp-security
commit and-quit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
