CVE-2025-60003: CWE-126 Buffer Over-read in Juniper Networks Junos OS
CVE-2025-60003 is a high-severity buffer over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated attacker can exploit this by sending a crafted BGP update containing specific optional transitive attributes over an established peering session, causing rpd to crash and restart, resulting in a denial-of-service (DoS). This vulnerability only triggers if one or both BGP peers are non-4-byte-AS capable, which is not the default behavior unless explicitly disabled. It affects multiple versions of Junos OS and Junos OS Evolved prior to certain patch releases. The vulnerability has a CVSS score of 7. 5, indicating high severity, with no known exploits in the wild currently. European organizations using affected Juniper routing devices with BGP peering configurations that disable 4-byte AS support are at risk. Mitigation requires upgrading to fixed Junos OS versions and verifying BGP peer capabilities to avoid triggering the flaw.
AI Analysis
Technical Summary
CVE-2025-60003 is a buffer over-read vulnerability classified under CWE-126 found in the routing protocol daemon (rpd) component of Juniper Networks Junos OS and Junos OS Evolved. The flaw arises when rpd processes BGP update messages containing specific optional transitive attributes over an established BGP peering session. If one or both peers in the session are non-4-byte-AS capable—determined by the advertised capabilities during session establishment—and the device receives a maliciously crafted BGP update, the rpd process attempts to advertise this information to another peer, triggering a buffer over-read. This causes rpd to crash and subsequently restart, resulting in a denial-of-service condition that disrupts routing operations. The default Junos OS behavior supports 4-byte AS numbers, so this vulnerability is only exploitable if the disable-4byte-as configuration is enabled. Affected versions include all releases before 22.4R3-S8, 23.2 before 23.2R2-S5, 23.4 before 23.4R2-S6, 24.2 before 24.2R2-S2, and 24.4 before 24.4R2 for both Junos OS and Junos OS Evolved. The vulnerability has a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is remotely exploitable without authentication or user interaction, causing high impact on availability but no confidentiality or integrity loss. No known exploits have been reported in the wild to date. Network operators can verify BGP peer capabilities using the command 'show bgp neighbor <IP address> | match "4 byte AS"' to assess exposure. The vulnerability underscores the risk of legacy BGP configurations and the importance of maintaining up-to-date routing software.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network availability, particularly for ISPs, telecom providers, and large enterprises relying on Juniper routing infrastructure for BGP peering. A successful exploit can cause routing daemon crashes and restarts, leading to temporary loss of routing information, potential traffic disruption, and degraded network performance. This can impact critical services, including internet connectivity, cloud access, and inter-site communications. Organizations with legacy BGP configurations that disable 4-byte AS support are especially vulnerable. Given the importance of stable routing in telecommunications and enterprise networks across Europe, exploitation could disrupt business operations and service delivery. Although no confidentiality or integrity impact is noted, the availability impact alone can have cascading effects on dependent services and SLAs. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this vulnerability. The widespread use of Juniper devices in European network infrastructure increases the potential attack surface.
Mitigation Recommendations
1. Upgrade affected Junos OS and Junos OS Evolved devices to the fixed versions: 22.4R3-S8 or later, 23.2R2-S5 or later, 23.4R2-S6 or later, 24.2R2-S2 or later, and 24.4R2 or later as applicable. 2. Audit BGP configurations to identify sessions where 4-byte AS support is disabled (disable-4byte-as enabled) and evaluate the necessity of this setting; re-enable 4-byte AS support if possible. 3. Use the command 'show bgp neighbor <IP address> | match "4 byte AS"' to verify peer capabilities and identify vulnerable sessions. 4. Implement network segmentation and filtering to restrict BGP update messages from untrusted or external peers, reducing exposure to crafted malicious updates. 5. Monitor routing daemon stability and logs for unexpected rpd crashes or restarts that may indicate exploitation attempts. 6. Employ anomaly detection systems to identify unusual BGP update patterns that could signal an attack. 7. Coordinate with upstream and downstream BGP peers to ensure consistent 4-byte AS support and secure BGP session configurations. 8. Maintain an incident response plan to quickly address routing disruptions caused by this vulnerability. These steps go beyond generic patching by focusing on configuration hygiene, proactive monitoring, and peer coordination.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Switzerland
CVE-2025-60003: CWE-126 Buffer Over-read in Juniper Networks Junos OS
Description
CVE-2025-60003 is a high-severity buffer over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated attacker can exploit this by sending a crafted BGP update containing specific optional transitive attributes over an established peering session, causing rpd to crash and restart, resulting in a denial-of-service (DoS). This vulnerability only triggers if one or both BGP peers are non-4-byte-AS capable, which is not the default behavior unless explicitly disabled. It affects multiple versions of Junos OS and Junos OS Evolved prior to certain patch releases. The vulnerability has a CVSS score of 7. 5, indicating high severity, with no known exploits in the wild currently. European organizations using affected Juniper routing devices with BGP peering configurations that disable 4-byte AS support are at risk. Mitigation requires upgrading to fixed Junos OS versions and verifying BGP peer capabilities to avoid triggering the flaw.
AI-Powered Analysis
Technical Analysis
CVE-2025-60003 is a buffer over-read vulnerability classified under CWE-126 found in the routing protocol daemon (rpd) component of Juniper Networks Junos OS and Junos OS Evolved. The flaw arises when rpd processes BGP update messages containing specific optional transitive attributes over an established BGP peering session. If one or both peers in the session are non-4-byte-AS capable—determined by the advertised capabilities during session establishment—and the device receives a maliciously crafted BGP update, the rpd process attempts to advertise this information to another peer, triggering a buffer over-read. This causes rpd to crash and subsequently restart, resulting in a denial-of-service condition that disrupts routing operations. The default Junos OS behavior supports 4-byte AS numbers, so this vulnerability is only exploitable if the disable-4byte-as configuration is enabled. Affected versions include all releases before 22.4R3-S8, 23.2 before 23.2R2-S5, 23.4 before 23.4R2-S6, 24.2 before 24.2R2-S2, and 24.4 before 24.4R2 for both Junos OS and Junos OS Evolved. The vulnerability has a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is remotely exploitable without authentication or user interaction, causing high impact on availability but no confidentiality or integrity loss. No known exploits have been reported in the wild to date. Network operators can verify BGP peer capabilities using the command 'show bgp neighbor <IP address> | match "4 byte AS"' to assess exposure. The vulnerability underscores the risk of legacy BGP configurations and the importance of maintaining up-to-date routing software.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network availability, particularly for ISPs, telecom providers, and large enterprises relying on Juniper routing infrastructure for BGP peering. A successful exploit can cause routing daemon crashes and restarts, leading to temporary loss of routing information, potential traffic disruption, and degraded network performance. This can impact critical services, including internet connectivity, cloud access, and inter-site communications. Organizations with legacy BGP configurations that disable 4-byte AS support are especially vulnerable. Given the importance of stable routing in telecommunications and enterprise networks across Europe, exploitation could disrupt business operations and service delivery. Although no confidentiality or integrity impact is noted, the availability impact alone can have cascading effects on dependent services and SLAs. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this vulnerability. The widespread use of Juniper devices in European network infrastructure increases the potential attack surface.
Mitigation Recommendations
1. Upgrade affected Junos OS and Junos OS Evolved devices to the fixed versions: 22.4R3-S8 or later, 23.2R2-S5 or later, 23.4R2-S6 or later, 24.2R2-S2 or later, and 24.4R2 or later as applicable. 2. Audit BGP configurations to identify sessions where 4-byte AS support is disabled (disable-4byte-as enabled) and evaluate the necessity of this setting; re-enable 4-byte AS support if possible. 3. Use the command 'show bgp neighbor <IP address> | match "4 byte AS"' to verify peer capabilities and identify vulnerable sessions. 4. Implement network segmentation and filtering to restrict BGP update messages from untrusted or external peers, reducing exposure to crafted malicious updates. 5. Monitor routing daemon stability and logs for unexpected rpd crashes or restarts that may indicate exploitation attempts. 6. Employ anomaly detection systems to identify unusual BGP update patterns that could signal an attack. 7. Coordinate with upstream and downstream BGP peers to ensure consistent 4-byte AS support and secure BGP session configurations. 8. Maintain an incident response plan to quickly address routing disruptions caused by this vulnerability. These steps go beyond generic patching by focusing on configuration hygiene, proactive monitoring, and peer coordination.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- juniper
- Date Reserved
- 2025-09-23T18:19:06.960Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69694e761ab3796b105000f2
Added to database: 1/15/2026, 8:30:46 PM
Last enriched: 1/22/2026, 9:32:49 PM
Last updated: 2/6/2026, 4:45:43 PM
Views: 105
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-13523: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Mattermost Mattermost Confluence Plugin
HighCVE-2026-2103: CWE-321 in Infor SyteLine ERP
HighCVE-2026-2058: SQL Injection in mathurvishal CloudClassroom-PHP-Project
MediumCVE-2026-25556: CWE-415 Double Free in Artifex Software MuPDF
MediumCVE-2026-2057: SQL Injection in SourceCodester Medical Center Portal Management System
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.