CVE-2025-30649 Overview
CVE-2025-30649 is an Improper Input Validation vulnerability [CWE-20] in the syslog stream TCP transport of Juniper Networks Junos OS. The flaw affects MX240, MX480, and MX960 devices equipped with the MX-SPC3 Security Services Card. An unauthenticated, network-based attacker can send specifically crafted spoofed packets to the MX-SPC3 Services Processing Units (SPUs), causing CPU exhaustion. Continued receipt of these packets sustains the denial of service condition, degrading or interrupting traffic processing on the affected services card.
Critical Impact
Remote unauthenticated attackers can sustain a CPU-based denial of service against MX-SPC3 SPUs by sending spoofed syslog TCP transport packets, impacting service availability on MX240, MX480, and MX960 platforms.
Affected Products
- Juniper Networks Junos OS on MX240, MX480, and MX960 with MX-SPC3 Security Services Card
- Junos OS: all versions before 22.2R3-S6; 22.4 versions before 22.4R3-S4; 23.2 versions before 23.2R2-S3
- Junos OS: 23.4 versions before 23.4R2-S4; 24.2 versions before 24.2R1-S2 and 24.2R2
Discovery Timeline
- 2025-04-09 - CVE-2025-30649 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-30649
Vulnerability Analysis
The vulnerability resides in the syslog stream TCP transport implementation used by the MX-SPC3 Security Services Card on Juniper MX-series chassis. The MX-SPC3 SPUs process syslog stream packets without performing sufficient input validation on attacker-controlled fields. When malformed or spoofed packets are received, the SPU enters a costly processing path that drives CPU utilization toward saturation.
Because the issue is triggered through normal network reachability and requires no authentication or user interaction, an attacker only needs the ability to send TCP packets that reach the MX-SPC3 syslog transport. Sustained packet delivery keeps SPU CPU pegged, preventing the card from servicing legitimate session traffic and policy enforcement.
An observable indicator is high CPU utilization on the SPC3 SPUs, visible through show services service-sets summary, where the CPU utilization column reports values near 100% with an OVLD (overloaded) marker.
Root Cause
The root cause is improper input validation [CWE-20] in the syslog stream TCP transport code path on the MX-SPC3. The component fails to adequately verify the structure or contents of incoming TCP transport packets before invoking expensive parsing or queueing logic.
Attack Vector
The attack vector is purely network-based. An unauthenticated remote attacker transmits crafted, spoofed TCP packets toward the MX-SPC3 syslog stream transport. No credentials, prior access, or user interaction are required. The denial of service condition is maintained as long as the attacker continues transmission. Detailed technical specifics are limited; refer to the Juniper Security Advisory JSA96459 for vendor-confirmed conditions.
Detection Methods for CVE-2025-30649
Indicators of Compromise
- Sustained high CPU utilization on MX-SPC3 SPUs, reported by show services service-sets summary with values approaching 99% and the OVLD overload flag.
- Unexpected spikes in inbound TCP traffic destined to the syslog stream transport endpoints on MX240, MX480, or MX960 chassis with MX-SPC3 installed.
- Degraded session establishment or policy enforcement throughput on service sets bound to the MX-SPC3.
Detection Strategies
- Baseline SPC3 SPU CPU utilization and alert on sustained deviations above normal operating thresholds.
- Correlate SPU overload events with flow telemetry to identify spoofed-source TCP traffic targeting syslog transport ports.
- Inspect Junos system logs for repeated syslog transport parsing errors or session anomalies associated with the MX-SPC3.
Monitoring Recommendations
- Poll show services service-sets summary and show services service-sets cpu-usage via NETCONF or SNMP and alert on OVLD states.
- Forward Junos telemetry to a centralized analytics platform to correlate SPU CPU saturation with upstream network events.
- Monitor border ACL and edge router counters for anti-spoofing drops to validate that ingress filtering is active.
How to Mitigate CVE-2025-30649
Immediate Actions Required
- Upgrade Junos OS on affected MX240, MX480, and MX960 systems to a fixed release as listed in Juniper Security Advisory JSA96459.
- Restrict reachability to the syslog stream TCP transport on MX-SPC3 to trusted management networks using firewall filters or loopback policers.
- Implement ingress anti-spoofing filtering (BCP 38) on upstream and edge interfaces to block packets with forged source addresses.
Patch Information
Juniper has released fixed software in Junos OS 22.2R3-S6, 22.4R3-S4, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, and subsequent releases. Refer to the Juniper Security Advisory JSA96459 for the authoritative list of fixed versions and upgrade guidance.
Workarounds
- Apply Junos firewall filters on the loopback interface to permit syslog stream TCP transport only from known, trusted collectors.
- Deploy edge ACLs and unicast reverse path forwarding (uRPF) to drop spoofed packets before they reach the MX-SPC3.
- Rate-limit unsolicited TCP traffic destined to the MX-SPC3 syslog transport ports to reduce the impact of sustained floods.
# Example: verify SPC3 SPU CPU utilization for signs of exploitation
user@device> show services service-sets summary
# Look for the CPU utilization column reporting values near 99% with OVLD
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
