CVE-2025-60003 Overview
A Buffer Over-read vulnerability (CWE-126) exists in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved that allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) condition. When an affected device receives a BGP update containing specific optional transitive attributes over an established peering session, the rpd process will crash and restart when attempting to advertise the received information to another peer.
This vulnerability is particularly concerning because it can be triggered remotely without authentication, potentially disrupting critical network routing infrastructure.
Critical Impact
Unauthenticated network attackers can crash the routing protocol daemon, causing BGP session disruptions and potential network routing failures across enterprise and service provider networks.
Affected Products
- Junos OS: all versions before 22.4R3-S8, 23.2 versions before 23.2R2-S5, 23.4 versions before 23.4R2-S6, 24.2 versions before 24.2R2-S2, 24.4 versions before 24.4R2
- Junos OS Evolved: all versions before 22.4R3-S8-EVO, 23.2 versions before 23.2R2-S5-EVO, 23.4 versions before 23.4R2-S6-EVO, 24.2 versions before 24.2R2-S2-EVO, 24.4 versions before 24.4R2-EVO
Discovery Timeline
- 2026-01-15 - CVE CVE-2025-60003 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-60003
Vulnerability Analysis
This vulnerability manifests as a Buffer Over-read condition in the routing protocol daemon (rpd) component of Juniper Networks Junos OS and Junos OS Evolved. The flaw occurs during the processing of BGP update messages containing specific optional transitive attributes. When the affected device attempts to advertise the received BGP information to another peer, the daemon reads beyond the allocated buffer boundaries, causing a crash and subsequent restart.
A critical condition for exploitation is that one or both BGP peers of the receiving session must be non-4-byte-AS capable, as determined from the advertised capabilities during BGP session establishment. By default, Junos OS and Junos OS Evolved are configured as 4-byte-AS capable, which reduces the attack surface. However, environments where disable-4byte-as has been explicitly configured are at elevated risk.
Root Cause
The root cause is a Buffer Over-read (CWE-126) condition in the rpd process when handling BGP update messages. The daemon fails to properly validate buffer boundaries when processing certain optional transitive attributes in BGP updates, particularly in sessions where non-4-byte-AS capability is negotiated. This leads to memory access beyond the allocated buffer when the router attempts to re-advertise the malformed or specially crafted BGP information.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker with the ability to establish or inject traffic into a BGP peering session can craft malicious BGP update messages containing specific optional transitive attributes. When the vulnerable router processes these updates and attempts to advertise them to downstream peers, the buffer over-read triggers a crash of the rpd process.
Administrators can verify their exposure by checking BGP neighbor capabilities using the command:
show bgp neighbor <IP address> | match "4 byte AS"
Sessions showing non-4-byte-AS capability are potentially vulnerable to this attack. The vulnerability requires an established BGP peering relationship, meaning attackers would need either legitimate BGP peering access or the ability to compromise an existing peer.
Detection Methods for CVE-2025-60003
Indicators of Compromise
- Unexpected rpd process crashes and restarts on Juniper devices
- BGP session flapping or repeated re-establishment events
- Syslog entries indicating rpd daemon failures or segmentation faults
- Anomalous BGP update messages with unusual optional transitive attributes
Detection Strategies
- Monitor system logs for rpd crash events using show system core-dumps and show log messages commands
- Implement BGP session monitoring to detect abnormal session resets or flapping
- Deploy network-based intrusion detection rules to identify malformed BGP update packets
- Configure SNMP traps for daemon restart events on critical routing infrastructure
Monitoring Recommendations
- Enable comprehensive logging for BGP sessions and rpd process events
- Implement real-time alerting for routing daemon crashes across all Juniper infrastructure
- Review BGP peer configurations to identify sessions with non-4-byte-AS capability enabled
- Establish baseline metrics for BGP session stability to detect anomalies
How to Mitigate CVE-2025-60003
Immediate Actions Required
- Upgrade affected Junos OS devices to versions 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S2, or 24.4R2 or later
- Upgrade affected Junos OS Evolved devices to versions 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-S6-EVO, 24.2R2-S2-EVO, or 24.4R2-EVO or later
- Review BGP peer configurations and remove disable-4byte-as where not strictly required
- Implement BGP route filtering and prefix validation to limit exposure from untrusted peers
Patch Information
Juniper Networks has released security patches addressing this vulnerability. Detailed patch information and download links are available in the Juniper Security Advisory JSA103166. Organizations should plan maintenance windows to apply updates to affected routing infrastructure as soon as possible.
Fixed versions include:
- Junos OS: 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S2, 24.4R2
- Junos OS Evolved: 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-S6-EVO, 24.2R2-S2-EVO, 24.4R2-EVO
Workarounds
- Ensure 4-byte-AS capability remains enabled (default configuration) by removing any disable-4byte-as statements
- Limit BGP peering to trusted networks and implement strict prefix filtering
- Consider implementing BGP GTSM (Generalized TTL Security Mechanism) to restrict BGP sessions to directly connected peers
- Deploy redundant routing infrastructure to minimize service impact from potential rpd crashes
# Verify 4-byte-AS capability is enabled (default)
show configuration protocols bgp | match disable-4byte-as
# Check BGP neighbor 4-byte-AS capability status
show bgp neighbor | match "4 byte AS"
# Remove disable-4byte-as if configured (reduces attack surface)
delete protocols bgp group <group-name> disable-4byte-as
commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
