CVE-2025-21599
📋 TL;DR
This CVE describes a memory leak vulnerability in Juniper's Tunnel Driver (jtd) on Junos OS Evolved. Unauthenticated attackers can send specially crafted IPv6 packets to cause kernel memory exhaustion, leading to system crashes and denial of service. Only systems running affected Junos OS Evolved versions with IPv6 configured are vulnerable.
💻 Affected Systems
- Juniper Networks Junos OS Evolved
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash and sustained denial of service, requiring manual reboot and potentially disrupting all network services on the affected device.
Likely Case
Intermittent service degradation or system crashes when targeted by malicious IPv6 traffic, leading to network outages.
If Mitigated
Minimal impact if IPv6 is disabled or traffic filtering prevents malicious packets from reaching the device.
🎯 Exploit Status
Requires crafting specific malformed IPv6 packets and sending them to the target device. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4R3-S5-EVO, 23.2R2-S2-EVO, 23.4R2-S2-EVO, 24.2R1-S2-EVO or later
Vendor Advisory: https://supportportal.juniper.net/JSA92869
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate patch from Juniper support portal. 3. Apply patch following Juniper upgrade procedures. 4. Reboot device to activate fixed software.
🔧 Temporary Workarounds
Disable IPv6
allCompletely disable IPv6 functionality on affected devices
set system services ipv6 disable
commit
Filter IPv6 Traffic
allImplement firewall rules to block or rate-limit IPv6 packets to the device
set firewall family inet6 filter BLOCK-MALFORMED term 1 from destination-address <device-ip>
set firewall family inet6 filter BLOCK-MALFORMED term 1 then discard
commit
🧯 If You Can't Patch
- Disable IPv6 on all affected devices immediately
- Implement strict network segmentation and firewall rules to limit IPv6 traffic to affected devices
🔍 How to Verify
Check if Vulnerable:
Run 'show version' and check if version matches affected ranges and IPv6 is configuredCheck Version:
show version | match JunosVerify Fix Applied:
After patching, verify version is patched with 'show version' and test with legitimate IPv6 traffic📡 Detection & Monitoring
Log Indicators:
- Kernel memory exhaustion warnings
- System crash/reboot logs
- High memory usage alerts in jtd process
Network Indicators:
- Unusual volumes of malformed IPv6 packets to device management interfaces
- Spike in IPv6 traffic to affected devices
SIEM Query:
source_ip=* AND dest_ip=<device_ip> AND protocol=ipv6 AND (packet_size>1500 OR flags=malformed)