CVE-2025-30660 Overview
CVE-2025-30660 is a denial-of-service vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS running on MX Series routers. The flaw stems from an Improper Check for Unusual or Exceptional Conditions [CWE-754] in how the PFE processes specific Generic Routing Encapsulation (GRE) traffic destined to the device. An unauthenticated, network-based attacker who sends a sustained high rate of crafted GRE packets can hang the affected PFE, halting traffic forwarding through the line card.
Critical Impact
A remote, unauthenticated attacker can stop traffic forwarding on MX Series routers by sending a high rate of specific GRE traffic, disrupting core and edge network operations.
Affected Products
- Juniper Junos OS on MX Series (MX204, MX240, MX304, MX480, MX960)
- Juniper Junos OS on MX Series (MX2008, MX2010, MX2020)
- Juniper Junos OS on MX Series (MX10004, MX10008)
Discovery Timeline
- 2025-04-09 - CVE CVE-2025-30660 published to NVD with Juniper advisory JSA96471
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2025-30660
Vulnerability Analysis
The vulnerability lives in the PFE data path on MX Series routers, where specific GRE traffic destined to the device is not properly validated for unusual conditions. When the PFE processes a high rate of these GRE packets, the MQSS (MX Queueing Subsystem) ASIC reports oversized parcel data and raises an ASIC error. The result is a hang of the affected PFE, which stops forwarding all transit and host-bound traffic until the line card is recovered.
Operators can correlate the condition with the following log signatures emitted at the time of failure:
<fpc #> MQSS(0): LI-3: Received a parcel with more than 512B accompanying data
CHASSISD_FPC_ASIC_ERROR: ASIC Error detected <...>
Because MX Series platforms are commonly deployed at service provider edges, peering points, and large enterprise cores, an outage of a PFE can translate into a wide blast radius across customer-facing circuits.
Root Cause
The PFE fails to handle an exceptional packet condition encountered while parsing specific GRE traffic. Internal parcels carrying more than 512 bytes of accompanying data are not rejected or rate-limited at the appropriate stage, which propagates an unrecoverable ASIC error in the MQSS block and stalls the forwarding pipeline.
Attack Vector
Exploitation requires only network reachability to an interface of the device that processes GRE traffic destined to the router itself. No authentication, user interaction, or pre-existing tunnel relationship is required. The attacker must sustain a high packet rate of the specific GRE traffic pattern toward the device to trigger the PFE hang. No public proof-of-concept or exploit code has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
A working exploit is not publicly available. See the Juniper Security Advisory JSA96471 for vendor technical details.
Detection Methods for CVE-2025-30660
Indicators of Compromise
- PFE/FPC log entries containing MQSS(0): LI-3: Received a parcel with more than 512B accompanying data.
- Chassis daemon log entries CHASSISD_FPC_ASIC_ERROR: ASIC Error detected correlated with sudden traffic blackholing.
- Sustained high inbound GRE (IP protocol 47) packet rates terminating on the router's loopback or interface addresses.
Detection Strategies
- Aggregate Junos syslog from MX Series devices into a SIEM and alert on the MQSS parcel and CHASSISD ASIC error strings.
- Baseline GRE traffic volume destined to router control-plane addresses and alert on anomalous spikes from untrusted sources.
- Monitor PFE health using show chassis fpc and show pfe statistics traffic for forwarding stalls or error counter increases.
Monitoring Recommendations
- Forward FPC and chassisd logs to centralized logging with retention sufficient for incident reconstruction.
- Use streaming telemetry (Junos Telemetry Interface) to track per-FPC packet drops, ASIC errors, and queue depth in near real time.
- Correlate routing protocol session flaps (BGP, IS-IS, OSPF) with PFE error events to identify forwarding-plane outages.
How to Mitigate CVE-2025-30660
Immediate Actions Required
- Inventory MX Series devices and identify any running Junos OS releases earlier than the fixed versions listed in JSA96471.
- Schedule upgrades to the fixed Junos OS releases on exposed MX10004, MX10008, MX2008, MX2010, MX2020, MX204, MX240, MX304, MX480, and MX960 systems.
- Restrict GRE traffic destined to router addresses using control-plane policers and firewall filters until patching is complete.
Patch Information
Juniper has released fixed software in Junos OS 21.2R3-S9, 21.4R3-S8, 22.2R3-S4, 22.4R3-S5, 23.2R2-S2, 23.4R2, and all subsequent releases. Refer to the Juniper Security Advisory JSA96471 for the complete fixed-release matrix and upgrade guidance.
Workarounds
- Apply a loopback firewall filter that discards or rate-limits GRE (protocol 47) traffic from untrusted sources destined to the router.
- Implement edge ACLs at network ingress to drop unsolicited GRE packets targeting infrastructure addresses.
- Use unicast Reverse Path Forwarding (uRPF) and infrastructure ACLs to limit who can reach router-owned addresses with GRE.
# Example Junos loopback filter to rate-limit GRE traffic to the RE/PFE
set firewall family inet filter PROTECT-RE term limit-gre from protocol gre
set firewall family inet filter PROTECT-RE term limit-gre then policer GRE-POLICER
set firewall family inet filter PROTECT-RE term limit-gre then count gre-to-re
set firewall family inet filter PROTECT-RE term default then accept
set firewall policer GRE-POLICER if-exceeding bandwidth-limit 1m burst-size-limit 15k
set firewall policer GRE-POLICER then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-RE
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
