CVE-2025-30661 is a vulnerability categorized under CWE-732 (Incorrect Permission Assignment for Critical Resource) found in Juniper Networks Junos OS, specifically impacting the line card script processing mechanism. The flaw allows a local user with low privileges and access to the local file system to place a malicious script on the router. This script is then executed with root privileges during system boot, resulting in privilege escalation. The vulnerability affects several specific line cards including MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C. Affected Junos OS versions include 23.2 (before 23.2R2-S4), 23.4 (before 23.4R2-S5), 24.2 (before 24.2R2-S1), and 24.4 (before 24.4R1-S3 and 24.4R2). Versions prior to 23.1R2 are not affected. The vulnerability arises because the system improperly assigns permissions to critical resources, allowing unauthorized script installation and execution as root. Exploitation requires local access and user interaction but no elevated privileges initially. The CVSS v3.1 score is 7.3, reflecting high severity with high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the potential for complete system compromise is significant, especially in environments relying on these Juniper line cards for critical network infrastructure.

The impact of CVE-2025-30661 is substantial for organizations using affected Juniper line cards and Junos OS versions. Successful exploitation grants an attacker root-level control over the router, enabling full compromise of the device. This can lead to unauthorized configuration changes, interception or manipulation of network traffic, disruption of network services, and potential lateral movement within the network. Given that routers are critical infrastructure components, such compromise can undermine network security, availability, and data confidentiality. The requirement for local access limits remote exploitation but insider threats or attackers who have gained initial footholds can leverage this vulnerability to escalate privileges. The broad range of affected line cards used in enterprise, service provider, and data center environments increases the scope of potential impact worldwide.

To mitigate CVE-2025-30661, organizations should: 1) Immediately upgrade affected Junos OS versions to the fixed releases (23.2R2-S4 or later, 23.4R2-S5 or later, 24.2R2-S1 or later, 24.4R1-S3 or later) as provided by Juniper Networks. 2) Restrict local file system access on routers to trusted administrators only, employing strict access controls and monitoring. 3) Implement robust physical security controls to prevent unauthorized local access to network devices. 4) Monitor router logs and system behavior for unusual script execution or unauthorized file changes. 5) Use network segmentation to limit exposure of critical routing infrastructure. 6) Employ multi-factor authentication and least privilege principles for all administrative access. 7) Regularly audit device configurations and permissions to detect misconfigurations or unauthorized changes. 8) Consider deploying host-based intrusion detection on management stations to detect suspicious activities related to router management.