CVE-2025-52980 Overview
A Use of Incorrect Byte Ordering vulnerability exists in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS on SRX300 Series devices. This vulnerability allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) condition by sending specially crafted BGP updates over an established BGP session.
When a BGP update is received over an established BGP session containing a specific, valid, optional, transitive path attribute, the rpd process will crash and restart. This issue affects both eBGP and iBGP sessions over IPv4 and IPv6, making it a significant threat to network availability and routing stability.
Critical Impact
Unauthenticated remote attackers can crash the routing daemon on SRX300 Series firewalls, disrupting network connectivity and BGP peering relationships without requiring any user interaction.
Affected Products
- Juniper Junos OS 22.1 versions from 22.1R1 before 22.2R3-S4
- Juniper Junos OS 22.3 versions before 22.3R3-S3
- Juniper Junos OS 22.4 versions before 22.4R3-S2
- Juniper Junos OS 23.2 versions before 23.2R2
- Juniper Junos OS 23.4 versions before 23.4R2
- Juniper SRX300, SRX320, SRX340, SRX345, and SRX380 Series Firewalls
Discovery Timeline
- 2025-07-11 - CVE-2025-52980 published to NVD
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2025-52980
Vulnerability Analysis
This vulnerability stems from a Use of Incorrect Byte Ordering (CWE-198) flaw within the Routing Protocol Daemon (rpd) component of Junos OS. The rpd process is responsible for managing all routing protocol operations, including BGP session handling and route processing. When processing certain BGP UPDATE messages containing valid optional transitive path attributes, the daemon incorrectly interprets byte ordering, leading to memory corruption and subsequent process termination.
The attack requires an established BGP session with the target device, meaning the attacker must either be a legitimate BGP peer or have compromised an existing peer. Once this condition is met, the attacker can repeatedly crash the rpd daemon, causing sustained denial of service and potential routing table instability across the network.
Root Cause
The root cause lies in improper byte ordering handling when parsing optional transitive BGP path attributes. BGP path attributes are variable-length fields that carry routing information, and when the rpd daemon encounters certain valid attribute combinations, it misinterprets the byte order during memory operations. This leads to accessing invalid memory regions, triggering an unhandled exception and causing the daemon to crash and restart.
The vulnerability is particularly concerning because it involves valid BGP attributes, meaning traditional input validation cannot simply reject the malicious packets without breaking legitimate BGP functionality.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker must have an established BGP peering session with the vulnerable device—this could be achieved through:
- Compromising an existing BGP peer
- Establishing a new unauthorized BGP session if routing policy permits
- Exploiting misconfigured BGP authentication
Once the BGP session is established, the attacker sends specially crafted BGP UPDATE messages containing the triggering path attribute combination. The rpd daemon processes these updates as part of normal BGP operation, and upon encountering the malformed byte ordering, crashes immediately.
The vulnerability affects the core routing infrastructure, and repeated exploitation can cause:
- Sustained denial of service on the affected firewall
- BGP session flapping with all peers
- Route convergence delays across the network
- Potential traffic black-holing during recovery periods
Detection Methods for CVE-2025-52980
Indicators of Compromise
- Repeated rpd process crashes visible in system logs with references to memory access violations or SIGSEGV signals
- Unexpected BGP session resets correlating with rpd daemon restarts
- Anomalous BGP UPDATE messages with unusual optional transitive path attribute combinations from specific peers
- Increased frequency of core dump files generated by the rpd process
Detection Strategies
- Monitor syslog entries for rpd crash events using patterns like rpd[*]: SIGSEGV or rpd[*]: core dumped
- Implement BGP session monitoring to detect unusual flapping patterns or rapid session establishment/teardown cycles
- Deploy network traffic analysis to identify abnormal BGP UPDATE message patterns, particularly those with unusual path attribute structures
- Configure SNMP traps for BGP peer state changes and routing daemon health metrics
Monitoring Recommendations
- Enable detailed logging for the rpd daemon and BGP subsystem using set protocols bgp traceoptions file bgp.log and related commands
- Configure real-time alerting for any rpd process restarts through centralized log management systems
- Implement BGP session state monitoring dashboards to visualize peering health across all SRX300 Series devices
- Review BGP peer configurations to ensure only authorized peers are permitted and MD5 authentication is enabled
How to Mitigate CVE-2025-52980
Immediate Actions Required
- Verify which Junos OS version is running on all SRX300 Series devices using show version command
- Identify all devices running affected versions: 22.1R1 through 22.2R3-S3, 22.3 through 22.3R3-S2, 22.4 through 22.4R3-S1, 23.2 through 23.2R1, and 23.4 through 23.4R1
- Prioritize patching devices with external-facing BGP peering relationships
- Review and restrict BGP peering configurations to limit exposure to untrusted peers
Patch Information
Juniper Networks has released patched versions of Junos OS that address this vulnerability. Organizations should upgrade to the following fixed releases:
- Junos OS 22.2R3-S4 or later for 22.1/22.2 branch
- Junos OS 22.3R3-S3 or later for 22.3 branch
- Junos OS 22.4R3-S2 or later for 22.4 branch
- Junos OS 23.2R2 or later for 23.2 branch
- Junos OS 23.4R2 or later for 23.4 branch
For detailed upgrade instructions and software downloads, refer to the Juniper Security Advisory JSA100084.
Workarounds
- Implement strict BGP prefix filtering and peer authentication using MD5 to limit which devices can establish BGP sessions
- Configure BGP route policies to filter or log unusual path attribute combinations where operationally feasible
- Deploy network segmentation to isolate SRX300 Series devices from untrusted network segments
- Consider temporarily disabling BGP on affected devices if the service is not critical while awaiting patching
# Enable BGP MD5 authentication for peer security
set protocols bgp group external-peers neighbor 192.0.2.1 authentication-key "strong-key-here"
# Configure prefix limits to protect against route injection
set protocols bgp group external-peers neighbor 192.0.2.1 family inet unicast prefix-limit maximum 10000
# Enable BGP traceoptions for monitoring
set protocols bgp traceoptions file bgp-trace.log size 10m files 5
set protocols bgp traceoptions flag update detail
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
