Juniper Junos OS Vulnerability (JSA100096)

🗓️ 06 Feb 2026 00:00:00Reported by TenableType

Junos OS UI vulnerability lets high-privilege attackers modify configuration via annotate command.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2025-52989	24 Sep 202508:51	–	circl
CNNVD	Juniper Networks Junos OS和Juniper Networks Junos OS Evolved 安全漏洞	11 Jul 202500:00	–	cnnvd
CVE	CVE-2025-52989	11 Jul 202515:10	–	cve
Cvelist	CVE-2025-52989 Junos OS and Junos OS Evolved: Annotate configuration command can be used to change the configuration	11 Jul 202515:10	–	cvelist
EUVD	EUVD-2025-21143	3 Oct 202520:07	–	euvd
NVD	CVE-2025-52989	11 Jul 202516:15	–	nvd
OSV	CVE-2025-52989	11 Jul 202516:15	–	osv
Positive Technologies	PT-2025-29258 · Juniper Networks · Junos Evolved +1	9 Jul 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-52989	13 Jul 202515:20	–	redhatcve
Vulnrichment	CVE-2025-52989 Junos OS and Junos OS Evolved: Annotate configuration command can be used to change the configuration	11 Jul 202515:10	–	vulnrichment

Source	Link
nessus	www.nessus.org/u
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#TRUSTED 5e46ab70456b23f0543f072f598b17de0b465606efb83e78d06e9edf14b72b294f537d448399781a89edb933aaf2388bfbec2c6a5b6d0b5c1ebd206f1c5b12f55dbfecfb97ab0db8dce40ceb102539862b0cadad35f24d9c448744824720ab6b3e00881e2a774d84a34312f666373b9b90a1cbde7b7c39e430768693cbf86d0bef4b753392c60520d7db2136d242bcd8519a1eebe65e912cda9b8ac90c3389a37a9dcceb5a66e91f1664a03ab7c92eaf6ae3c8ee3d9b61089522a6e29192c67f8aba4dac099086ce7cf5d0c11d6161d4f9aa0d1920f1c3dc70d247cd1ffb4563223b7901b28823395fc8ac78751ce8e754e7b40c202bd449fc4c2e643b5150016a339d1fcf7e655d4dffef3dd21d82d418d22015c6fab4c460a6fb441abcbacc0e2aea06c3f7ded3f280a76667a54d7dd35646b2ecce9ca096cdb55d4939e158fdbcf882b7cf3999f2eff27503cf21cbb9021935825da4eac81fdbb1782c0607da04104594dd21e9fddf844b51e59227f1ba2a48844f33ecac6c66eb374f902b6d8f33f2a183ee32305527fcb2565188895625b113673d0172d8621671555e7299cd0a510a017e8443248ad17a4347ae5216e0969df3042953e3852fae8c4d846fcccb8c32df0972330cabcf46b8f05d1075ad4ba940035e3b4b1d578c7155ace1499397c37a8f9e8c934cdda103a0aa4882160fa96210e5d2d932c6673d2252
#TRUST-RSA-SHA256 1df03452a59a9a16e1508029e34c41820d8a5089fef9b44e57476706e981a5764c648e1d29c200149b349d61bdeedae3e972dad7fcc05f74d8d876f84887ff892e51fc264c52e3a974abaa16ab2d32b249821aea24018895cef8d5c85749509e712e3ac65d52f27ed8ed057eac756190d4264569043c566e02a023787fe9df7323cea5f088032dc9eb1e3640be8af033ddc38a0db15b1bf717efdbe624207cb699db65c0b85c828f07559ce10656a89228526ae046205fabd344bf026c3f1fbe7053cbbd40078f31d8990122750be36f31310fb950b587efbc7e1d47d4f386f0b0d89a15851b66a1cce6e15bd39c502532ed424b1fd8a903afcc65b81986e5086678a1eb1f00c737b7fd786832fc2adac22a23997e8cc822987b07c2cfa9d70c787093e3b5208edf185447da9798d07489523e0f6818de29d048a67c14efcb8fea1401f583d7e860b70c0287f5fa7f119a332fabc755f33832b3d4627d9727092d08b0b8b63703edaea0418c9ab315e3f47a3a737f23398cac3fa57406bf555c86c5d7f4a1810a15c4548eef79bf15a27c5525cd46cd775e15c5c83ce3fa129260830cc9d0e90963bff73177aef11e19b06de8a9ee136f5fe5c1fc4b00aa2d242e37b98778fdc14b566daeb8b118b3d9651ce9d001f7d364197e18df4ec269368af4dbec098060fdbedbb73e173be1762897863eeceeb0ed195564001e118a51
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(298254);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/06");

  script_cve_id("CVE-2025-52989");
  script_xref(name:"JSA", value:"JSA100096");
  script_xref(name:"IAVA", value:"2025-A-0510");

  script_name(english:"Juniper Junos OS Vulnerability (JSA100096)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA100096
advisory.

  - An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Junos OS
    Evolved allows a local, authenticated attacker with high privileges to modify the system configuration. A
    user with limited configuration and commit permissions, using a specifically crafted annotate
    configuration command, can change any part of the device configuration. This issue affects: Junos OS: *
    all versions before 22.2R3-S7, * 22.4 versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S4, * 23.4
    versions before 23.4R2-S4, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S2, 24.4R2;
    Junos OS Evolved: * all versions before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, *
    23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO * 24.4-EVO versions
    before 24.4R2-EVO. (CVE-2025-52989)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Annotate-configuration-command-can-be-used-for-privilege-escalation-CVE-2025-52989
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5bfa115e");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA100096");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:N/I:C/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_supplemental", value:"CVSS:4.0/R:U/RE:M");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-52989");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/07/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/06");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");

  exit(0);
}

include('junos.inc');
include('junos_kb_cmd_func.inc');


var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

var vuln_ranges = [
  {'min_ver':'0.0', 'fixed_ver':'22.2R3-S7'},
  {'min_ver':'0.0-EVO', 'fixed_ver':'22.4R3-S7-EVO'},
  {'min_ver':'22.4', 'fixed_ver':'22.4R3-S7'},
  {'min_ver':'23.2', 'fixed_ver':'23.2R2-S4'},
  {'min_ver':'23.2-EVO', 'fixed_ver':'23.2R2-S4-EVO'},
  {'min_ver':'23.4', 'fixed_ver':'23.4R2-S4'},
  {'min_ver':'23.4-EVO', 'fixed_ver':'23.4R2-S5-EVO'},
  {'min_ver':'24.2', 'fixed_ver':'24.2R2-S1'},
  {'min_ver':'24.2-EVO', 'fixed_ver':'24.2R2-S1-EVO'},
  {'min_ver':'24.4', 'fixed_ver':'24.4R1-S2', 'fixed_display':'24.4R1-S2, 24.4R2'},
  {'min_ver':'24.4-EVO', 'fixed_ver':'24.4R2-EVO'}
];

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix)) audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
junos_report(ver:ver, fix:fix, override:FALSE, severity:SECURITY_WARNING);

06 Feb 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.15.1

CVSS 46.8

EPSS0.00089

SSVC