CVE-2025-52981 Overview
CVE-2025-52981 is an Improper Check for Unusual or Exceptional Conditions vulnerability [CWE-754] in the flow processing daemon (flowd) of Juniper Networks Junos OS. The flaw affects SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3 devices. An unauthenticated, network-based attacker can send a sequence of specific Protocol Independent Multicast (PIM) packets to crash and restart flowd, causing a Denial-of-Service (DoS) condition. The issue is similar to but distinct from CVE-2024-47503 disclosed in JSA88133. Juniper published advisory JSA100087 with fixed releases.
Critical Impact
Remote unauthenticated attackers can disrupt firewall traffic processing on affected SRX platforms by triggering repeated flowd crashes through crafted PIM packets.
Affected Products
- Juniper Junos OS on SRX1600 and SRX2300 platforms
- Juniper Junos OS on SRX 4000 Series (SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700)
- Juniper Junos OS on SRX5000 Series (SRX5400, SRX5600, SRX5800) with SPC3 card
Discovery Timeline
- 2025-07-11 - CVE-2025-52981 published to NVD
- 2026-01-30 - Last updated in NVD database
Technical Details for CVE-2025-52981
Vulnerability Analysis
The vulnerability resides in flowd, the flow processing daemon responsible for packet forwarding decisions on Juniper SRX Services Gateways. When the daemon receives a specific sequence of PIM packets, it fails to handle an exceptional condition correctly, causing the process to crash. Junos OS automatically restarts flowd, but repeated triggering produces a sustained Denial-of-Service against the data plane. Because PIM is processed in the forwarding path, any reachable interface accepting multicast routing traffic can serve as an attack surface. The defect is classified under [CWE-754] Improper Check for Unusual or Exceptional Conditions.
Root Cause
The root cause is missing or insufficient validation of edge-case states reached while parsing certain PIM packet sequences. The daemon assumes well-formed protocol state transitions and does not gracefully handle the exceptional input, resulting in a process abort. This is a logic and input-validation defect rather than a memory corruption flaw, and it does not provide a path to code execution or data disclosure.
Attack Vector
Exploitation requires only network reachability to a vulnerable interface that processes PIM. No authentication, user interaction, or prior access is needed. An attacker sends a tailored sequence of PIM messages toward the SRX device. The flowd process crashes and restarts, dropping in-flight traffic during the recovery window. Sustained packet streams keep the device in a degraded state, interrupting firewall, NAT, and routing functions handled by the flow daemon.
No public proof-of-concept or in-the-wild exploitation has been reported. The current EPSS score reflects a low near-term exploitation probability, but the network-reachable, unauthenticated nature of the bug warrants prompt remediation.
Detection Methods for CVE-2025-52981
Indicators of Compromise
- Unexpected flowd process restarts visible in /var/log/messages or chassis logs on SRX platforms
- Core dump files generated by flowd under /var/crash/ following PIM traffic bursts
- Sudden traffic blackholing or session table flushes coinciding with PIM packet activity
- SNMP traps or syslog entries indicating PFE (Packet Forwarding Engine) reset events
Detection Strategies
- Correlate flowd crash events with inbound PIM packet captures on edge or transit interfaces
- Baseline normal PIM volume per interface and alert on anomalous bursts or malformed PIM types
- Monitor for repeated short-interval flowd restarts, which indicate active exploitation rather than benign faults
Monitoring Recommendations
- Forward Junos syslog and chassis events to a centralized SIEM for correlation and long-term retention
- Enable flow telemetry (Junos Telemetry Interface, sFlow) to detect abnormal PIM source patterns
- Track configuration and process health metrics for SRX devices with continuous availability monitoring
How to Mitigate CVE-2025-52981
Immediate Actions Required
- Identify all SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3 devices running affected Junos OS versions
- Apply the fixed Junos OS release listed in Juniper advisory JSA100087 during the next maintenance window
- Restrict PIM acceptance to trusted multicast peers using interface-level filters where business requirements allow
Patch Information
Juniper has released fixes in Junos OS 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S6, 23.2R2-S4, 23.4R2-S4, 24.2R2, and all subsequent releases. Refer to the Juniper Security Advisory JSA100087 for the full list of remediated builds and upgrade guidance.
Workarounds
- Apply firewall filters or loopback ACLs that permit PIM only from known, authenticated multicast neighbors
- Disable PIM on interfaces where multicast routing is not required to remove the attack surface entirely
- Use control-plane policing and PIM authentication where supported to limit untrusted source impact
# Example: restrict PIM to known neighbors on an SRX interface
set firewall family inet filter PROTECT-PIM term allow-pim-trusted from source-address 192.0.2.10/32
set firewall family inet filter PROTECT-PIM term allow-pim-trusted from protocol pim
set firewall family inet filter PROTECT-PIM term allow-pim-trusted then accept
set firewall family inet filter PROTECT-PIM term deny-pim from protocol pim
set firewall family inet filter PROTECT-PIM term deny-pim then discard
set interfaces ge-0/0/0 unit 0 family inet filter input PROTECT-PIM
commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
