CVE-2025-52985 is a medium-severity vulnerability identified in Juniper Networks Junos OS Evolved, specifically affecting the Routing Engine firewall component. The vulnerability arises from the use of an incorrect operator in firewall filters that reference prefix lists containing more than 10 entries. When such a prefix list is applied to the loopback interface (lo0) or the management interface (re:mgmt), the prefix list fails to match correctly, resulting in packets destined to or from the local device bypassing the intended firewall filtering rules. This behavior effectively allows an unauthenticated, network-based attacker to circumvent security restrictions imposed by these firewall filters. The issue impacts both IPv4 and IPv6 traffic since prefix lists can include prefixes from both protocols. The vulnerability affects firewall filters applied as input and output on the re:mgmt interface but only affects output filters on the lo0 interface. Affected versions of Junos OS Evolved include 23.2R2-S3-EVO through versions prior to 23.2R2-S4-EVO, 23.4R2-S3-EVO through prior to 23.4R2-S5-EVO, 24.2R2-EVO before 24.2R2-S1-EVO, and 24.4-EVO before 24.4R1-S3-EVO and 24.4R2-EVO. Versions before 23.2R1-EVO are not affected. The vulnerability has a CVSS v3.1 base score of 5.3, indicating a medium severity level. The attack vector is network-based with no privileges or user interaction required, but the impact is limited to integrity as confidentiality and availability are not affected. No known exploits are currently reported in the wild. The root cause is classified under CWE-480 (Use of Incorrect Operator), indicating a logic error in the firewall filter implementation that leads to incorrect packet filtering behavior.

For European organizations, this vulnerability poses a risk primarily to network infrastructure security, especially for those relying on Juniper Networks Junos OS Evolved for routing and firewall functions. The ability for an unauthenticated attacker to bypass firewall rules on critical interfaces such as the management interface (re:mgmt) and loopback interface (lo0) can lead to unauthorized access to network devices, potentially allowing attackers to manipulate routing configurations or conduct reconnaissance without detection. While the vulnerability does not directly compromise confidentiality or availability, the integrity of firewall policies is undermined, which can facilitate further attacks or lateral movement within the network. Organizations in sectors with stringent network security requirements, such as finance, telecommunications, energy, and government, may face increased risks due to the critical nature of their network infrastructure. Additionally, since the vulnerability affects both IPv4 and IPv6 traffic, networks utilizing dual-stack configurations are fully exposed. The lack of required authentication lowers the barrier for exploitation, increasing the threat surface. However, the absence of known exploits in the wild suggests that immediate widespread attacks are unlikely but vigilance is warranted.

European organizations should promptly identify Juniper devices running affected versions of Junos OS Evolved and prioritize patching to the fixed versions (23.2R2-S4-EVO or later, 23.4R2-S5-EVO or later, 24.2R2-S1-EVO or later, and 24.4R1-S3-EVO or later). In environments where immediate patching is not feasible, administrators should review and minimize the use of prefix lists with more than 10 entries in firewall filters applied to the lo0 and re:mgmt interfaces. Consider restructuring prefix lists to contain fewer entries or splitting them to avoid triggering the vulnerability. Additionally, implement strict network segmentation and access controls to limit exposure of management interfaces to trusted networks only. Employ network monitoring and anomaly detection to identify unusual traffic patterns that could indicate attempts to exploit this vulnerability. Regularly audit firewall filter configurations to ensure they are correctly applied and effective. Finally, maintain up-to-date inventory and configuration management to quickly assess exposure and respond to emerging threats related to this vulnerability.