{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21590","assignerOrgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","state":"PUBLISHED","assignerShortName":"juniper","dateReserved":"2024-12-26T14:47:11.667Z","datePublished":"2025-03-12T13:59:43.038Z","dateUpdated":"2026-02-26T19:09:35.631Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Junos OS","vendor":"Juniper Networks","versions":[{"lessThan":"21.2R3-S9","status":"affected","version":"0","versionType":"semver"},{"lessThan":"21.4R3-S10","status":"affected","version":"21.4","versionType":"semver"},{"lessThan":"22.2R3-S6","status":"affected","version":"22.2","versionType":"semver"},{"lessThan":"22.4R3-S6","status":"affected","version":"22.4","versionType":"semver"},{"lessThan":"23.2R2-S3","status":"affected","version":"23.2","versionType":"semver"},{"lessThan":"23.4R2-S4","status":"affected","version":"23.4","versionType":"semver"},{"lessThan":"24.2R1-S2, 24.2R2","status":"affected","version":"24.2","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"Juniper SIRT would like to acknowledge and thank Matteo Memelli from Amazon for responsibly reporting this issue. Note: Amazon found the issue during internal security research and not due to exploitation."}],"datePublic":"2025-03-12T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.

A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.
This issue is not exploitable from the Junos CLI.

This issue affects Junos OS: 

"}],"value":"An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device.\n\nA local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device.\nThis issue is not exploitable from the Junos CLI.\nThis issue affects Junos OS: \n\n\n\n * All versions before 21.2R3-S9,\n * 21.4 versions before 21.4R3-S10, \n * 22.2 versions before 22.2R3-S6, \n * 22.4 versions before 22.4R3-S6, \n * 23.2 versions before 23.2R2-S3, \n * 23.4 versions before 23.4R2-S4,\n * 24.2 versions before 24.2R1-S2, 24.2R2."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"At least one instance of malicious exploitation has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it's available and in the meantime take steps to mitigate this vulnerability."}],"value":"At least one instance of malicious exploitation has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it's available and in the meantime take steps to mitigate this vulnerability."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.4,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":6.7,"baseSeverity":"MEDIUM","privilegesRequired":"HIGH","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-653","description":"CWE-653 Improper Isolation or Compartmentalization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","shortName":"juniper","dateUpdated":"2025-05-06T08:00:02.011Z"},"references":[{"tags":["vendor-advisory"],"url":"https://supportportal.juniper.net/JSA93446"},{"tags":["third-party-advisory"],"url":"https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

The following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.

\n

 

\n

Please note that this issue is not fixed for all platforms in the releases specified in the solution section.

\n

For the following products the fix is only available in these releases:

\n

SRX300 Series   21.2R3-S9, 23.4R2-S5*, 24.4R1

\n

SRX550HM    22.2R3-S7*

\n

EX4300 Series     21.4R3-S11* (except EX4300-48MP which has fixes available as indicated in the solution)

\n

EX4600               21.4R3-S11* (except EX4650 which has fixes available as indicated in the solution)

\n

ACX1000, ACX1100, ACX2100, ACX2200, ACX4000,

\n

ACX500              21.2R3-S9

\n

MX104               21.2R3-S9

\n

* Future Release 

"}],"value":"The following software releases have been updated to resolve this specific issue: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.\n\n\n \n\n\nPlease note that this issue is not fixed for all platforms in the releases specified in the solution section.\n\n\nFor the following products the fix is only available in these releases:\n\n\nSRX300 Series   21.2R3-S9, 23.4R2-S5*, 24.4R1\n\n\nSRX550HM    22.2R3-S7*\n\n\nEX4300 Series     21.4R3-S11* (except EX4300-48MP which has fixes available as indicated in the solution)\n\n\nEX4600               21.4R3-S11* (except EX4650 which has fixes available as indicated in the solution)\n\n\nACX1000, ACX1100, ACX2100, ACX2200, ACX4000,\n\n\nACX500              21.2R3-S9\n\n\nMX104               21.2R3-S9\n\n\n* Future Release"}],"source":{"advisory":"JSA93446","defect":["1838460","1872010"],"discovery":"USER"},"timeline":[{"lang":"en","time":"2025-03-12T14:00:00.000Z","value":"Initial Publication"},{"lang":"en","time":"2025-03-12T15:16:00.000Z","value":"Corrected hotlinks for CVSS assessments"},{"lang":"en","time":"2025-03-14T14:00:00.000Z","value":"Rephrased sentences on Amazon involvement to reduce the chance for confusion"},{"lang":"en","time":"2025-04-09T08:17:00.000Z","value":"Updated solution section to clarify which platforms are not fixed in all but only in specific releases"},{"lang":"en","time":"2025-04-14T07:15:00.000Z","value":"For the products/platforms specifically mentioned in the solution section: Please note that Junos OS version 21.2R3-S9.20, which was made available last week, does not address the issue completely. We'll publish an updated version with the complete fix and update this advisory as soon as possible."},{"lang":"en","time":"2025-05-06T08:00:00.000Z","value":"For the products/platforms specifically mentioned in the solution section: Please note that Junos OS version 21.2R3-S9.21 has been publish with the complete fix."}],"title":"Junos OS: An local attacker with shell access can execute arbitrary code","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"It is strongly recommended to mitigate the risk of exploitation by restricting shell access to trusted users only.\n\n
"}],"value":"It is strongly recommended to mitigate the risk of exploitation by restricting shell access to trusted users only."}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-21590","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-03-14T03:55:21.999597Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2025-03-13","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590"}}}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590","tags":["government-resource"]}],"timeline":[{"time":"2025-03-13T00:00:00.000Z","lang":"en","value":"CVE-2025-21590 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T19:09:35.631Z"}}]}}