CVE-2025-60003
Published: 15 January 2026
Summary
CVE-2025-60003 is a high-severity Buffer Over-read (CWE-126) vulnerability in Juniper Junos. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-60003 is a buffer over-read vulnerability (CWE-126) in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The flaw affects Junos OS versions prior to 22.4R3-S8, 23.2 versions before 23.2R2-S5, 23.4 versions before 23.4R2-S6, 24.2 versions before 24.2R2-S2, and 24.4 versions before 24.4R2. For Junos OS Evolved, it impacts all versions before 22.4R3-S8-EVO, 23.2 versions before 23.2R2-S5-EVO, 23.4 versions before 23.4R2-S6-EVO, 24.2 versions before 24.2R2-S2-EVO, and 24.4 versions before 24.4R2-EVO.
An unauthenticated, network-based attacker can exploit the vulnerability by sending a BGP update containing a set of specific optional transitive attributes over an established peering session. The rpd will crash and restart upon attempting to advertise the received information to another peer, causing a Denial-of-Service (DoS). Exploitation is possible only if one or both BGP peers in the receiving session are non-4-byte-AS capable, as determined during BGP session establishment; Junos defaults to 4-byte-AS capability unless explicitly disabled via the "disable-4byte-as" configuration option. Affected BGP sessions can be identified using the command "show bgp neighbor <IP address> | match '4 byte AS'".
The Juniper security advisory JSA103166 details mitigation through upgrading to the fixed releases beyond the affected versions. Additional guidance is available via the Juniper support portal at https://supportportal.juniper.net/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2712
Vulnerability details
A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set…
more
of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring: [ protocols bgp ... disable-4byte-as ] Established BGP sessions can be checked by executing: show bgp neighbor <IP address> | match "4 byte AS" This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer over-read in BGP attribute handling directly enables crafted update messages to crash rpd, matching application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the buffer over-read vulnerability by requiring timely application of vendor patches and upgrades to fixed Junos OS versions.
Protects against the network-based DoS caused by rpd crashes from malformed BGP updates through architectural and technical DoS defenses.
Validates BGP update messages containing specific optional transitive attributes to prevent buffer over-reads during processing.