CVE-2025-60003 Overview
A Buffer Over-read vulnerability has been identified in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) condition on affected devices.
The vulnerability is triggered when an affected device receives a BGP update containing a specific set of optional transitive attributes over an established peering session. When the rpd attempts to advertise the received information to another peer, it crashes and restarts. This issue specifically affects BGP sessions where one or both peers are non-4-byte-AS capable, which can be determined from the capabilities advertised during BGP session establishment.
Critical Impact
Network-based attackers can remotely crash the routing protocol daemon on Juniper network devices, causing service disruption and potential network instability across enterprise routing infrastructure.
Affected Products
- Juniper Junos OS all versions before 22.4R3-S8, 23.2 versions before 23.2R2-S5, 23.4 versions before 23.4R2-S6, 24.2 versions before 24.2R2-S2, 24.4 versions before 24.4R2
- Juniper Junos OS Evolved all versions before 22.4R3-S8-EVO, 23.2 versions before 23.2R2-S5-EVO, 23.4 versions before 23.4R2-S6-EVO, 24.2 versions before 24.2R2-S2-EVO, 24.4 versions before 24.4R2-EVO
Discovery Timeline
- January 15, 2026 - CVE-2025-60003 published to NVD
- January 23, 2026 - Last updated in NVD database
Technical Details for CVE-2025-60003
Vulnerability Analysis
This vulnerability resides in the routing protocol daemon (rpd), a critical component responsible for handling BGP routing decisions and route advertisements in Juniper network devices. The buffer over-read condition (CWE-126) occurs during the processing and subsequent re-advertisement of BGP update messages containing specific optional transitive attributes.
The vulnerability condition is only exploitable when BGP sessions involve non-4-byte-AS capable peers. By default, Junos OS and Junos OS Evolved are configured to support 4-byte AS numbers, which means the vulnerability only manifests when this capability has been explicitly disabled via the configuration directive [ protocols bgp ... disable-4byte-as ] or when peering with legacy devices that do not support 4-byte AS numbers.
When the rpd processes a maliciously crafted or malformed BGP update with specific optional transitive attributes, it reads beyond the allocated buffer boundaries when attempting to propagate this routing information to other peers, resulting in a daemon crash and automatic restart.
Root Cause
The root cause is a buffer over-read vulnerability (CWE-126) in the rpd's BGP update handling code. When processing BGP updates containing certain optional transitive attributes destined for re-advertisement to non-4-byte-AS capable peers, the daemon fails to properly validate buffer boundaries. This results in the rpd reading memory beyond the allocated buffer, causing memory access violations that trigger a daemon crash.
The issue stems from inadequate bounds checking when translating or reformatting BGP attributes for peers with different AS number capabilities, specifically when converting between 4-byte and 2-byte AS number representations.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker must have an established BGP peering session with the target device or be able to inject BGP updates through an intermediary router that will propagate the malicious update to the vulnerable device.
The attack flow involves sending a BGP update message containing specially crafted optional transitive attributes over an established BGP session. When the target device attempts to advertise this received routing information to another peer that is non-4-byte-AS capable, the rpd crashes and restarts, causing temporary routing disruption.
Administrators can verify their exposure by checking BGP neighbor capabilities using the command: show bgp neighbor <IP address> | match "4 byte AS". Sessions where peers do not advertise 4-byte AS capability are potentially vulnerable to this attack.
Detection Methods for CVE-2025-60003
Indicators of Compromise
- Unexpected rpd process crashes and restarts correlated with BGP update activity
- System logs showing rpd core dumps or segmentation faults during BGP route processing
- Multiple BGP session flaps or re-establishments in short time periods
- Error messages related to BGP attribute processing or memory access violations in system logs
Detection Strategies
- Monitor syslog entries for rpd crash events, particularly those mentioning buffer overflows or memory access errors
- Implement BGP session monitoring to detect abnormal session resets or flapping patterns
- Configure SNMP traps for rpd process restart events on affected Juniper devices
- Review BGP update logs for unusual optional transitive attributes from external peers
Monitoring Recommendations
- Enable enhanced BGP logging to capture detailed information about received BGP updates and attributes
- Set up alerting for rpd process restarts that exceed normal operational thresholds
- Monitor network reachability and routing table stability as indicators of potential exploitation
- Implement flow analysis to detect anomalous BGP traffic patterns from untrusted peers
How to Mitigate CVE-2025-60003
Immediate Actions Required
- Verify whether any BGP sessions are configured with non-4-byte-AS capability by running show bgp neighbor <IP address> | match "4 byte AS" on all affected devices
- If non-4-byte-AS peers are not required, remove any disable-4byte-as configuration directives to reduce exposure
- Review BGP peering relationships and implement route filtering policies to limit the propagation of potentially malicious attributes
- Schedule maintenance windows to apply vendor patches as soon as possible
Patch Information
Juniper Networks has released patched versions addressing this vulnerability. Administrators should upgrade to the following minimum versions:
Junos OS:
- Version 22.4R3-S8 or later for 22.4 branch
- Version 23.2R2-S5 or later for 23.2 branch
- Version 23.4R2-S6 or later for 23.4 branch
- Version 24.2R2-S2 or later for 24.2 branch
- Version 24.4R2 or later for 24.4 branch
Junos OS Evolved:
- Version 22.4R3-S8-EVO or later for 22.4 branch
- Version 23.2R2-S5-EVO or later for 23.2 branch
- Version 23.4R2-S6-EVO or later for 23.4 branch
- Version 24.2R2-S2-EVO or later for 24.2 branch
- Version 24.4R2-EVO or later for 24.4 branch
For complete patch information and download links, refer to the Juniper Security Advisory JSA103166 and the Juniper Support Portal.
Workarounds
- Ensure all BGP peers support 4-byte AS numbers and remove any disable-4byte-as configuration to eliminate the vulnerable condition
- Implement strict BGP route filtering policies to sanitize incoming BGP updates and block unexpected optional transitive attributes
- Consider implementing BGP session authentication (MD5 or TCP-AO) to restrict peering to authorized devices only
- Segment network infrastructure to limit the blast radius of any potential rpd crashes
# Check BGP neighbor 4-byte AS capability
show bgp neighbor <IP_ADDRESS> | match "4 byte AS"
# Verify current BGP configuration for disable-4byte-as
show configuration protocols bgp | match disable-4byte-as
# Remove disable-4byte-as if not required (configuration mode)
delete protocols bgp group <GROUP_NAME> disable-4byte-as
commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
