CVE-2025-52985 is a medium-severity vulnerability affecting Juniper Networks Junos OS Evolved, specifically in the Routing Engine firewall component. The flaw arises from the use of an incorrect operator in firewall filters that reference prefix lists containing more than 10 entries. When a firewall filter applied to the lo0 (loopback) or re:mgmt (routing engine management) interfaces uses the 'from prefix-list' condition, the prefix list fails to match packets if it contains over 10 prefixes. Consequently, packets destined to or originating from the local device bypass the intended firewall filtering rules. This bypass affects both IPv4 and IPv6 traffic since prefix lists can include prefixes of both types. The vulnerability impacts firewall filters applied to re:mgmt interfaces for both inbound and outbound traffic, but for the lo0 interface, only outbound filters are affected. The issue exists in Junos OS Evolved versions 23.2R2-S3-EVO through versions before 23.2R2-S4-EVO, 23.4R2-S3-EVO through before 23.4R2-S5-EVO, 24.2R2-EVO before 24.2R2-S1-EVO, and 24.4-EVO before 24.4R1-S3-EVO and 24.4R2-EVO. Versions prior to 23.2R1-EVO are not affected. The vulnerability allows an unauthenticated, network-based attacker to bypass security restrictions without requiring user interaction or privileges. While no known exploits are currently reported in the wild, the flaw could be leveraged to circumvent firewall policies protecting the routing engine, potentially enabling further attacks or unauthorized access to device management functions. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. This vulnerability stems from CWE-480, indicating the use of an incorrect operator in code logic leading to security control bypass.

For European organizations relying on Juniper Networks Junos OS Evolved in their network infrastructure, this vulnerability poses a risk of unauthorized bypass of firewall restrictions on critical routing engine interfaces. The routing engine is central to device management and control plane operations; thus, bypassing firewall filters on lo0 or re:mgmt interfaces could allow attackers to send or receive packets that should be blocked, potentially exposing management services or enabling further exploitation. This could lead to unauthorized configuration changes, interception or manipulation of routing protocols, or lateral movement within the network. Since the vulnerability affects both IPv4 and IPv6 traffic, organizations deploying dual-stack networks are equally at risk. The impact is particularly significant for service providers, large enterprises, and critical infrastructure operators in Europe that depend on Juniper devices for secure network operations. Although the vulnerability does not directly compromise confidentiality or availability, the integrity of network controls is weakened, increasing the risk of subsequent attacks. The lack of authentication requirement and network-based attack vector heighten the threat, especially in environments where management interfaces are exposed or insufficiently segmented. Given the medium severity and absence of known exploits, the immediate risk may be moderate, but the potential for exploitation in targeted attacks against European networks is notable.

To mitigate this vulnerability, European organizations should promptly identify Juniper devices running affected Junos OS Evolved versions. Network administrators must review firewall filters applied to lo0 and re:mgmt interfaces, especially those referencing prefix lists with more than 10 entries using 'from prefix-list' conditions. As a direct mitigation, reducing the size of prefix lists to 10 or fewer entries can prevent the bypass condition until patches are applied. Organizations should prioritize upgrading affected devices to the fixed versions: 23.2R2-S4-EVO or later, 23.4R2-S5-EVO or later, 24.2R2-S1-EVO or later, and 24.4R1-S3-EVO or later. In environments where immediate patching is not feasible, implementing additional access controls such as network segmentation, strict ACLs on management interfaces, and limiting exposure of re:mgmt and lo0 interfaces to trusted networks can reduce attack surface. Monitoring network traffic for anomalous packets destined to or from local device interfaces may help detect exploitation attempts. Finally, organizations should incorporate this vulnerability into their vulnerability management and incident response processes to ensure timely detection and remediation.