\n\n ]"}],"datePublic":"2025-07-09T16:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A Use of Incorrect Operator\n\nvulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.
When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more than 10 entries, the prefix list doesn't match and packets destined to or from the local device are not filtered.
\n\nThis issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.
This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.
This issue affects Junos OS Evolved:
- 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,
- 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,
- 24.2R2-EVO versions before 24.2R2-S1-EVO,
- 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.
This issue doesn't affect Junos OS Evolved versions before 23.2R1-EVO."}],"value":"A Use of Incorrect Operator\n\nvulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.\n\nWhen a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more than 10 entries, the prefix list doesn't match and packets destined to or from the local device are not filtered.\n\n\nThis issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.\nThis issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.\nThis issue affects Junos OS Evolved:\n\n * 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,\n * 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,\n * 24.2R2-EVO versions before 24.2R2-S1-EVO,\n * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.\n\n\nThis issue doesn't affect Junos OS Evolved versions before 23.2R1-EVO."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}],"value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":6.9,"baseSeverity":"MEDIUM","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-480","description":"CWE-480 Use of Incorrect Operator","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","shortName":"juniper","dateUpdated":"2025-07-18T07:16:09.464Z"},"references":[{"tags":["vendor-advisory"],"url":"https://supportportal.juniper.net/JSA100091"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The following software releases have been updated to resolve this specific issue: 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases."}],"value":"The following software releases have been updated to resolve this specific issue: 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases."}],"source":{"advisory":"JSA100091","defect":["1866334"],"discovery":"INTERNAL"},"title":"Junos OS Evolved: When a control-plane firewall filter refers to a prefix-list with more than 10 entries it's not matching","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A workaround for this issue is to refer to the prefix list either with the 'source-prefix-list' or the 'destination-prefix-list' match condition ('from')."}],"value":"A workaround for this issue is to refer to the prefix list either with the 'source-prefix-list' or the 'destination-prefix-list' match condition ('from')."}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-07-11T16:04:44.130312Z","id":"CVE-2025-52985","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-07-15T19:55:16.560Z"}}]}}