CVE-2025-60004 Overview
CVE-2025-60004 is an Improper Check for Unusual or Exceptional Conditions vulnerability (CWE-754) affecting the routing protocol daemon (rpd) in Juniper Networks Junos OS and Junos OS Evolved. This network-accessible vulnerability allows an unauthenticated attacker to cause a Denial-of-Service (DoS) condition by sending specially crafted BGP EVPN update messages that trigger an rpd crash and restart.
The vulnerability is particularly concerning because it does not require a BGP EVPN configuration to be exploited—any system with established BGP sessions where peers may send BGP EVPN updates is potentially vulnerable. The issue affects both iBGP and eBGP sessions over IPv4 and IPv6 transport.
Critical Impact
Unauthenticated network-based attackers can crash the routing protocol daemon (rpd) via malicious BGP EVPN update messages, causing service disruption to network routing infrastructure.
Affected Products
- Juniper Junos OS versions 23.4R2-S3 through 23.4R2-S4, 24.2R2, and 24.4 through 24.4R2
- Juniper Junos OS Evolved versions 23.4R2-S2-EVO through 23.4R2-S4-EVO, 24.2R2-EVO, and 24.4-EVO through 24.4R2-EVO
- Network devices running vulnerable rpd (routing protocol daemon) with BGP sessions established
Discovery Timeline
- October 9, 2025 - CVE-2025-60004 published to NVD
- January 23, 2026 - Last updated in NVD database
Technical Details for CVE-2025-60004
Vulnerability Analysis
This vulnerability stems from an improper check for unusual or exceptional conditions within the routing protocol daemon (rpd) when processing BGP EVPN (Ethernet VPN) update messages. The rpd component is a critical service responsible for managing all routing protocols on Juniper devices, including BGP, OSPF, IS-IS, and others.
When the rpd receives a specific malformed or unexpected BGP EVPN update message over an established BGP session, it fails to properly validate or handle the exceptional condition. This improper handling causes the daemon to crash and subsequently restart. During the restart period, routing services are interrupted, potentially causing widespread network connectivity issues.
The attack surface is significant because the vulnerability can be exploited over any established BGP peering session—the attacker does not need direct access to the target device, only the ability to send BGP updates through a peering relationship. This makes the vulnerability exploitable in transit provider, enterprise, and data center environments where BGP is commonly deployed.
Root Cause
The root cause is classified as CWE-754: Improper Check for Unusual or Exceptional Conditions. The rpd process fails to adequately validate certain fields or structures within BGP EVPN update messages before processing them. When encountering an unexpected or malformed EVPN route advertisement, the daemon does not gracefully handle the error condition, instead triggering an unhandled exception that results in process termination.
Critically, even systems not configured for BGP EVPN are vulnerable if their BGP peers can send EVPN-formatted updates. The rpd processes all BGP update messages received over established sessions regardless of local EVPN configuration, making the attack surface broader than might initially be expected.
Attack Vector
The attack vector is network-based and does not require authentication. An attacker must either:
- Have an established BGP peering session with the target device (direct peer)
- Be able to inject or propagate malicious BGP updates through intermediate systems that peer with the target
- Compromise or control a legitimate BGP peer that has a session with the vulnerable device
The attack can be executed over both IPv4 and IPv6 transport and affects both internal BGP (iBGP) and external BGP (eBGP) sessions. The attacker crafts a BGP UPDATE message containing EVPN NLRI (Network Layer Reachability Information) that triggers the improper condition check, causing immediate rpd crash.
Since no code examples are available for this vulnerability, the attack mechanism involves sending BGP UPDATE messages with specifically malformed EVPN type-2 (MAC/IP Advertisement) or type-5 (IP Prefix) routes that contain unexpected attribute values or structural anomalies. Detailed technical information is available in the Juniper Security Advisory JSA103165.
Detection Methods for CVE-2025-60004
Indicators of Compromise
- Unexpected rpd process crashes or restarts visible in system logs (/var/log/messages)
- Frequent BGP session flaps or routing table instability corresponding with rpd restarts
- Core dumps generated by rpd located in /var/crash/ or /var/tmp/
- System log entries showing rpd termination immediately following BGP EVPN update processing
Detection Strategies
- Monitor for rpd crash events using show system core-dumps and correlate with BGP session activity
- Implement BGP session monitoring to detect unusual EVPN update patterns from peers
- Configure SNMP traps for routing daemon failures to enable real-time alerting
- Review BGP update statistics using show bgp summary and show bgp neighbor for anomalous EVPN route reception
Monitoring Recommendations
- Enable detailed BGP logging to capture update message details before potential crashes
- Implement rate limiting on BGP session establishment to slow potential automated attack attempts
- Deploy out-of-band management access to maintain device reachability during rpd outages
- Configure BGP peer authentication (TCP-MD5 or TCP-AO) to prevent unauthorized BGP session establishment
How to Mitigate CVE-2025-60004
Immediate Actions Required
- Upgrade affected Junos OS devices to version 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, or 24.4R2 or later
- Upgrade affected Junos OS Evolved devices to version 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, or 24.4R2-EVO or later
- Audit BGP peering relationships to identify potential sources of EVPN update messages
- Implement BGP route filtering to reject EVPN address family routes from untrusted peers where operationally feasible
Patch Information
Juniper Networks has released fixed software versions addressing this vulnerability. Detailed patch information and download links are available in the Juniper Security Advisory JSA103165.
Fixed Versions:
- Junos OS: 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2 and subsequent releases
- Junos OS Evolved: 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO and subsequent releases
Workarounds
- Configure BGP import policies to reject EVPN NLRI from peers that should not be sending EVPN routes
- Limit BGP peering to trusted networks and implement strict peer authentication
- Monitor rpd process health and configure automatic failover mechanisms where supported by network topology
# Example BGP policy to filter EVPN routes (apply to untrusted peers)
set policy-options policy-statement REJECT-EVPN term 1 from family evpn
set policy-options policy-statement REJECT-EVPN term 1 then reject
set policy-options policy-statement REJECT-EVPN term 2 then accept
# Apply to BGP neighbor
set protocols bgp group EXTERNAL-PEERS import REJECT-EVPN
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
