Juniper Networks has released an out-of-cycle security bulletin addressing an actively exploited vulnerability in Junos OS that could allow a local attacker to execute arbitrary code. The vulnerability, tracked as CVE-2025-21590, affects multiple versions of Junos OS.
The security flaw is described as an “Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS.” According to the bulletin, a local attacker with high privileges can compromise the integrity of the device. Specifically, “a local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.” It is important to note that “this issue is not exploitable from the Junos CLI.”
The vulnerability impacts a wide range of Junos OS versions. The specific affected versions include:
-
All versions before 21.2R3-S9
-
21.4 versions before 21.4R3-S10
-
22.2 versions before 22.2R3-S6
-
22.4 versions before 22.4R3-S6
-
23.2 versions before 23.2R2-S3
-
23.4 versions before 23.4R2-S4
-
24.2 versions before 24.2R1-S2, 24.2R2
Junos OS Evolved is not affected by this vulnerability.
Juniper’s Security Incident Response Team (SIRT) has received at least one report of malicious exploitation of this vulnerability.
In mid-2024, Mandiant discovered threat actors deploying custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to UNC3886, a China-nexus espionage group. The backdoors included TINYSHELL-based backdoors with various custom capabilities, such as active and passive backdoor functions, and an embedded script that disables logging mechanisms.
Mandiant’s investigation revealed that the affected Juniper MX routers were running end-of-life hardware and software. Mandiant recommends that organizations upgrade their Juniper devices to the latest images released by Juniper Networks, including mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT). Organizations should also run the JMRT Quick Scan and Integrity Check after the upgrade.
Due to its critical impact, the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities Catalog and advised immediate patching before April 3, 2025.
Juniper Networks strongly advises customers to upgrade to a fixed release as soon as it becomes available. In the meantime, to mitigate the risk of exploitation, Juniper recommends restricting shell access to trusted users only.
Related Posts:
- Juniper Junos OS Evolved Vulnerabilities Enable Root-Level Compromise
- Unauthenticated Attackers Can Exploit Junos Vulnerabilities (CVE-2025-21598 & CVE-2025-21599)
- CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers
- CVE-2024-21591: Critical Pre-RCE Flaw Threatens Junos OS SRX and EX Series
- Sophisticated J-Magic Backdoor Evades Detection on Juniper Routers
