CVE-2025-60003
Published: 15 January 2026
Summary
CVE-2025-60003 is a high-severity Buffer Over-read (CWE-126) vulnerability in Juniper Junos. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer over-read in BGP attribute handling directly enables crafted update messages to crash rpd, matching application exploitation for endpoint DoS.
NVD Description
A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set…
more
of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring: [ protocols bgp ... disable-4byte-as ] Established BGP sessions can be checked by executing: show bgp neighbor <IP address> | match "4 byte AS" This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO.
Deeper analysisAI
CVE-2025-60003 is a buffer over-read vulnerability (CWE-126) in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The flaw affects Junos OS versions prior to 22.4R3-S8, 23.2 versions before 23.2R2-S5, 23.4 versions before 23.4R2-S6, 24.2 versions before 24.2R2-S2, and 24.4 versions before 24.4R2. For Junos OS Evolved, it impacts all versions before 22.4R3-S8-EVO, 23.2 versions before 23.2R2-S5-EVO, 23.4 versions before 23.4R2-S6-EVO, 24.2 versions before 24.2R2-S2-EVO, and 24.4 versions before 24.4R2-EVO.
An unauthenticated, network-based attacker can exploit the vulnerability by sending a BGP update containing a set of specific optional transitive attributes over an established peering session. The rpd will crash and restart upon attempting to advertise the received information to another peer, causing a Denial-of-Service (DoS). Exploitation is possible only if one or both BGP peers in the receiving session are non-4-byte-AS capable, as determined during BGP session establishment; Junos defaults to 4-byte-AS capability unless explicitly disabled via the "disable-4byte-as" configuration option. Affected BGP sessions can be identified using the command "show bgp neighbor <IP address> | match '4 byte AS'".
The Juniper security advisory JSA103166 details mitigation through upgrading to the fixed releases beyond the affected versions. Additional guidance is available via the Juniper support portal at https://supportportal.juniper.net/.
Details
- CWE(s)