Juniper Junos OS Vulnerability (JSA100051)

🗓️ 25 Jul 2025 00:00:00Reported by TenableType

Junos OS vulnerability allows denial of service on specific ACX Series platforms by crashing FEB.

Reporter	Title	Published	Views	Family All 11
BDU FSTEC	The vulnerability of Juniper Networks’ Junos OS, related to insufficient handling of exceptional states, allows a attacker to trigger a service failure.	21 Jul 202500:00	–	bdu_fstec
Circl	CVE-2025-52947	11 Jul 202515:24	–	circl
CNNVD	Juniper Networks Junos OS 安全漏洞	11 Jul 202500:00	–	cnnvd
CVE	CVE-2025-52947	11 Jul 202514:40	–	cve
Cvelist	CVE-2025-52947 Junos OS: ACX Series: When 'hot-standby' mode is configured for an L2 circuit, interface flap causes the FEB to crash	11 Jul 202514:40	–	cvelist
EUVD	EUVD-2025-21140	3 Oct 202520:07	–	euvd
NVD	CVE-2025-52947	11 Jul 202515:15	–	nvd
OSV	CVE-2025-52947	11 Jul 202515:15	–	osv
Positive Technologies	PT-2025-29236 · Juniper Networks · Acx2200 +8	9 Jul 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-52947	13 Jul 202515:20	–	redhatcve

Source	Link
nessus	www.nessus.org/u
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#TRUSTED 4bb34a1656855238ff294d885b13149a63ee890370584429c185df949ae6bc634bd8c062c8398be6cc551ec777c74e82604300ee088cff7a5d36d96d1589d069899048e9a3fda4c0abb66289efceb33a837af0a045476998cb5c7dad251227bf1170c111cedb6daf33de930b172a4785d0ddc49876d41fe90ae6dcf9363fc9338d85525f3ce4fd81dbf0c174bf486b372b789814af53a5e563d615a3891aabd7b09fd5f4ba9f4be5e7ced3536fa3951f9fe4455948e79cdb67f785a109bb2c3824cfd6e62bb6449e1b9d05a81a0798b1ac9f79fa36265f674190fd4633ce98b5468ce81edbf3e4c3baad9a349bb2cabae0337ea8cb963e2319aa0c61ab9c923a4b3f3af6f53bc5dd6109072a93c0ba7f16d0f261ccbf231be677d717d36adcfde68a53a283340f77e1ee6184a6f6c2ed2297e4355a3a62e426445fdf5b78217464f8528ffecd09e5d66b3308843de8b97425f8756784016f2c0b6b879bff32409f3a1f54da5569460640ca0025ae8452bddba8bf80931cd8de73b3bed6fc02ac5d256456c1ce7d6c9d2624be4eea7458f2fed65f799cf406ad85f31e850ffb5a728ac786725a9c7bea329d5e7973f049562ecf7852d65067c404df0600996eb34abaa7d0fa8ec7554eee1ada9359fc2a4c6d8e842f715a800bc2f72f33277d132ee6a35b0989def6bfaf13000852f2de59786578fb05f42cb040c7a72bd03eba
#TRUST-RSA-SHA256 70e50db1597f4a0e010143b8d97d2475ec7a33b8b025eb3b9cd26164aabcbb6e9e1e2bca5dd508e6141e3e9b2ebb06567922ec44f27976e8355ae0f7930ad8ecbe0a56ae8391c2324680c16c69502a554179f6e1e1d5cd6b9c162a39bd1e6aa79052486992e2f4861e7f84715af71a5d42ee4c791df48aca426b256055a6e79b26d3446587e169fa617b5952fa749ff174ceb149de18efecfeb39054424812fb40c67134b19d39cec8cecae5590e3de0cb442e3077b340f7987dec2d2bcb3a90a0db2d97df33035d49f8364295971a795e3ee1273b78ea075239f7fc3cd4599f156b09ecfd1e0c02aada1e41de869400860cfaba00bf2ee72e79bcb6d66f217936629615f0450bccfad380f3e352dc9db0096f1e826210bb4739eb55c89047205744ee419d9982b72d9ed7bc0df3363a8e2bd081df59b9f38f163f87713796def7134ed897e3737556388514634a2539f562a68aaf42a4afb3becffcadfd3ab9db35d9edd2acf4af571a407b8ff5bd801aea78cf0636f32828772c851b658ac99d1902df2118937e7688b05ce7cd7e64b13ae82fd11fb694c769daf4743f4bbae1dfe24c3932874d0c8a65c00d0338d5bc0d01c7e1d35ac43e97a539a3dcbd488c04d6a4f22f5d098836c2884e8af791dad2de338cd870db79d97c7e9c9eb852fd943ca10831e0cf39c31c4bb180f9699d3a98498b188269109698501e58b8b9
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(242694);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/07/25");

  script_cve_id("CVE-2025-52947");
  script_xref(name:"JSA", value:"JSA100051");
  script_xref(name:"IAVA", value:"2025-A-0510");

  script_name(english:"Juniper Junos OS Vulnerability (JSA100051)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA100051
advisory.

  - An Improper Handling of Exceptional Conditions vulnerability in route processing of Juniper Networks Junos
    OS on specific end-of-life (EOL) ACX Series platforms allows an attacker to crash the Forwarding Engine
    Board (FEB) by flapping an interface, leading to a Denial of Service (DoS). On ACX1000, ACX1100, ACX2000,
    ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096 devices, FEB0 will crash when the primary path port of the
    L2 circuit IGP (Interior Gateway Protocol) on the local device goes down. This issue is seen only when
    'hot-standby' mode is configured for the L2 circuit. This issue affects Junos OS on ACX1000, ACX1100,
    ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096: * all versions before 21.2R3-S9.
    (CVE-2025-52947)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-ACX-Series-When-hot-standby-mode-is-configured-for-an-L2-circuit-interface-flap-causes-the-FEB-to-crash
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e7c615f2");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA100051");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L");
  script_set_attribute(attribute:"cvss4_supplemental", value:"CVSS:4.0/R:A/RE:M/U:Green");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-52947");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/07/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/07/25");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include('junos.inc');
include('junos_kb_cmd_func.inc');

var model = get_kb_item_or_exit('Host/Juniper/model');
if (model !~ "ACX([12][01][0-9]{2}|22[0-9]{2}|4[0-9]{3}|5048|5096)")
{
  audit(AUDIT_DEVICE_NOT_VULN, model);
}

var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

var vuln_ranges = [
  {'min_ver':'0.0', 'fixed_ver':'21.2R3-S9', 'model':'^ACX([12][01][0-9]{2}|22[0-9]{2}|4[0-9]{3}|5048|5096)'}
];

var override = TRUE;
var buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
  override = FALSE;
  if (!preg(string:buf, pattern:"^set protocols l2circuit neighbor.*interface.*backup-neighbor.*hot-standby", multiline:TRUE))
    audit(AUDIT_HOST_NOT, 'using a vulnerable configuration');
}

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix)) audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);

25 Jul 2025 00:00Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.16.5

CVSS 47.1

EPSS0.00132

SSVC