Juniper Junos OS Vulnerability (JSA92867)

🗓️ 28 Apr 2026 00:00:00Reported by TenableType

Junos OS and Junos OS Evolved allow unauthenticated BGP updates to crash rpd.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2025-21598	9 Jan 202518:21	–	circl
CNNVD	Juniper Networks Junos OS和Juniper Networks Junos OS Evolved 缓冲区错误漏洞	9 Jan 202500:00	–	cnnvd
CVE	CVE-2025-21598	9 Jan 202518:16	–	cve
Cvelist	CVE-2025-21598 Junos OS and Junos OS Evolved: When BGP traceoptions are configured, receipt of malformed BGP packets causes RPD to crash	9 Jan 202518:16	–	cvelist
EUVD	EUVD-2025-2564	3 Oct 202520:07	–	euvd
NCSC	Vulnerabilities fixed in Juniper JunOS	10 Jan 202512:14	–	ncsc
NVD	CVE-2025-21598	9 Jan 202519:15	–	nvd
Positive Technologies	PT-2025-1009 · Juniper Networks · Junos Evolved +1	8 Jan 202500:00	–	ptsecurity
Vulnrichment	CVE-2025-21598 Junos OS and Junos OS Evolved: When BGP traceoptions are configured, receipt of malformed BGP packets causes RPD to crash	9 Jan 202518:16	–	vulnrichment

Source	Link
nessus	www.nessus.org/u
nessus	www.nessus.org/u
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#TRUSTED 161b18de0089aec7fb2b5b96f0f7b7f2d5e8525a3b5b3f5c7dca0011ac93cc96746aa80a7465d8af7b49dea10bec6f2e75a1592c499d56625e8f689c50bb8a649b3a894d8ebf13711f7c02ef535dcf4c83c7022455ce9d9ea6092ea08146060ca6000fb5ab6c290f90e630687bf1a3bffecc36a3f03db36baaae91bd54b908f3fd4899291689780f4e39b7d49f4702d59102edfaa9781d228edc5f9cc9cb3c6e4838445e9ef233f0821dc2933f738c4d0b6f40a98c3fce32743f63f82f56953e774ea6ab11cba54381f849f31af81034ea5b7708a067ec7d3ecaecc8b53d57665dc595c6302da5e844adea24a6b9a5c11eb502e44a215ed67d015e47d5cf7656573ca38d57e3a7de9327aa4e2a392c4d662b47c25a160c53759e99da0244f549f84690cce52eed28a7a957e864613929faba81a697ac6e7c7667b7a66453a719b0a245d88d5ef8afdff684a5985f1404284ca03ab4bc29dfa1ab7b5553fa6bb9a3072731ac85fc2a25adf03281198956c5769c0e7926a41a5a094213122d8e83cc0e8bb1626f1d771f071500379a7e192b09d90107162dcf50c5abe0ecbda3c296f3f23fc2ca7f4bb4f57ea74e38b2c749a7ee3f6cd86d882f6c77222867fa0316832e02a5deaa4b849d0106eaac237a0550da27a84d7e68a3e344277a7c963642ff8fafcb799696cd2d019c2be0f31db42342950ba76dfaba3b6f3319cd4a46
#TRUST-RSA-SHA256 3ac911c0b5130cb1db16d03a0c11dff90aa24af1109c117ab0b9d284f871459c7fe3cf6b2e87466bb6cac6024607ec5100aa331bd7910ed5e9f48d13075aeaa7c8d6262a9b9d6e8b8c1b446687c0dfe7a3634c4ef772e7a0eddca5f37f440cb4c6a8c291e606a63c7a42e0475eca804e24e5af8969bb25353af639af509591e17f80f9a5c832085b0a05ce613c686fa0ad6ebec9942d8c9605778015db053e485408155b252e51386a9aff7f83cfc77dcccf8d158e7fa23228bd49cea5b90f2e801129106aa8c5c85c5f470cda66b0ae13547080b332082105ad93d668ce4ad9dac278725f7f1c9af607eca9fd20f8032864085f19d40c9a3601a9df6a562c3b3dcf77e74c720335d711ca86aa3cb5e36e2d106465ceabedd102182d472c91dbe454958c1f76176869f2f2ed69a4bc47fb173e4a655541967eec3fb41263cc2c0d131cefaf4f3e4f33c771e780dd51f55f9eff339cfdd0c0672391c510927d6c0518b3bb098a5b57d739c733466cdd1cfc2431a07ce326e5957760bbc9e378c21ff2708194e0f57c774f4df22cee429f3c0b39fa55163aa97a801248ec94aaa8752f1fd6da6ea3e8fb049267c4fb625bb2ca74ede8ff7126eaed44467d727968b492c51e37484251ccf49da111781228ae562e1b32cb2ae467bb4b2ca3b7ec05111bf011bf54a8c550aa00cb84f6be2fe64391335f7b7930c71d468474554289
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
# This file was created in whole or in part by AI.
##

include('compat.inc');

if (description)
{
  script_id(310755);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/28");

  script_cve_id("CVE-2025-21598");
  script_xref(name:"JSA", value:"JSA92867");

  script_name(english:"Juniper Junos OS Vulnerability (JSA92867)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA92867
advisory.

  - An Out-of-bounds Read vulnerability in Juniper Networks Junos OS and Junos OS Evolved's routing protocol
    daemon (rpd) allows an unauthenticated, network-based attacker to send malformed BGP packets to a device
    configured with packet receive trace options enabled to crash rpd. This issue affects: Junos OS: * from
    21.2R3-S8 before 21.2R3-S9, * from 21.4R3-S7 before 21.4R3-S9, * from 22.2R3-S4 before 22.2R3-S5, * from
    22.3R3-S2 before 22.3R3-S4, * from 22.4R3 before 22.4R3-S5, * from 23.2R2 before 23.2R2-S2, * from 23.4R1
    before 23.4R2-S1, * from 24.2R1 before 24.2R1-S1, 24.2R2. Junos OS Evolved: * from 21.4R3-S7-EVO before
    21.4R3-S9-EVO, * from 22.2R3-S4-EVO before 22.2R3-S5-EVO, * from 22.3R3-S2-EVO before 22.3R3-S4-EVO, *
    from 22.4R3-EVO before 22.4R3-S5-EVO, * from 23.2R2-EVO before 23.2R2-S2-EVO, * from 23.4R1-EVO before
    23.4R2-S1-EVO, * from 24.2R1-EVO before 24.2R1-S2-EVO, 24.2R2-EVO. This issue requires a BGP session to be
    established. This issue can propagate and multiply through multiple ASes until reaching vulnerable
    devices. This issue affects iBGP and eBGP. This issue affects IPv4 and IPv6. An indicator of compromise
    may be the presence of malformed update messages in a neighboring AS which is unaffected by this issue:
    For example, by issuing the command on the neighboring device: show log messages Reviewing for similar
    messages from devices within proximity to each other may indicate this malformed packet is propagating:
    rpd[<pid>]: Received malformed update from <IP address> (External AS <AS#>) and rpd[<pid>]: Malformed
    Attribute (CVE-2025-21598)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/traceoptions-edit-protocols-bgp.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56304005");
  # https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-When-BGP-traceoptions-are-configured-receipt-of-malformed-BGP-packets-causes-RPD-to-crash-CVE-2025-21598
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0c39d8b1");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA92867");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L");
  script_set_attribute(attribute:"cvss4_supplemental", value:"CVSS:4.0/AU:Y/R:A/V:C/RE:M/U:Amber");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-21598");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/01/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/01/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/28");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");

  exit(0);
}

include('junos.inc');
include('junos_kb_cmd_func.inc');


var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

var vuln_ranges = [
  {'min_ver':'21.2R3-S8', 'fixed_ver':'21.2R3-S9'},
  {'min_ver':'21.4R3-S7', 'fixed_ver':'21.4R3-S9'},
  {'min_ver':'21.4R3-S7-EVO', 'fixed_ver':'21.4R3-S9-EVO'},
  {'min_ver':'22.2R3-S4', 'fixed_ver':'22.2R3-S5'},
  {'min_ver':'22.2R3-S4-EVO', 'fixed_ver':'22.2R3-S5-EVO'},
  {'min_ver':'22.3R3-S2', 'fixed_ver':'22.3R3-S4'},
  {'min_ver':'22.3R3-S2-EVO', 'fixed_ver':'22.3R3-S4-EVO'},
  {'min_ver':'22.4R3', 'fixed_ver':'22.4R3-S5'},
  {'min_ver':'22.4R3-EVO', 'fixed_ver':'22.4R3-S5-EVO'},
  {'min_ver':'23.2R2', 'fixed_ver':'23.2R2-S2'},
  {'min_ver':'23.2R2-EVO', 'fixed_ver':'23.2R2-S2-EVO'},
  {'min_ver':'23.4R1', 'fixed_ver':'23.4R2-S1'},
  {'min_ver':'23.4R1-EVO', 'fixed_ver':'23.4R2-S1-EVO'},
  {'min_ver':'24.2R1', 'fixed_ver':'24.2R1-S1', 'fixed_display':'24.2R1-S1, 24.2R2'},
  {'min_ver':'24.2R1-EVO', 'fixed_ver':'24.2R1-S2-EVO', 'fixed_display':'24.2R1-S2-EVO, 24.2R2-EVO'}
];

var override = TRUE;
var buf1 = junos_command_kb_item(cmd:'show configuration | display set');
if (buf1)
{
  var conf1 = !junos_check_config(buf:buf1, pattern:"^set .*protocols bgp traceoptions flag update detail");
  var conf2 = !junos_check_config(buf:buf1, pattern:"^set .*protocols bgp traceoptions flag receive detail");
  var conf3 = !junos_check_config(buf:buf1, pattern:"^set .*protocols bgp group \S+ neighbor \S+ traceoptions flag update detail");
  var conf4 = !junos_check_config(buf:buf1, pattern:"^set .*protocols bgp group \S+ neighbor \S+ traceoptions flag receive detail");
  if (conf1 && conf2 && conf3 && conf4)
    audit(AUDIT_OS_CONF_NOT_VULN, 'Junos OS');
  override = FALSE;
}

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix)) audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_HOLE);

28 Apr 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.17.5

CVSS 48.2

EPSS0.00744

SSVC