CVE-2025-52961
📋 TL;DR
An unauthenticated adjacent attacker can cause denial-of-service on affected Juniper PTX devices by sending specific valid CFM traffic that spikes CPU to 100% and causes memory leaks, eventually crashing and restarting the FPC. This affects Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, and PTX10016 routers running vulnerable versions.
💻 Affected Systems
- PTX10001-36MR
- PTX10002-36QDD
- PTX10004
- PTX10008
- PTX10016
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained DoS causing repeated FPC crashes and restarts, rendering the device unusable for network traffic forwarding
Likely Case
Intermittent service disruption due to FPC restarts, impacting network availability and performance
If Mitigated
Limited impact if proper network segmentation and monitoring are in place to detect and block malicious CFM traffic
🎯 Exploit Status
Exploitation requires adjacent network access and knowledge of specific valid CFM traffic patterns
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.2R2-S4-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-S2-EVO, or later versions
Vendor Advisory: https://supportportal.juniper.net/JSA103144
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate fixed version from Juniper support. 3. Install update following Junos OS Evolved upgrade procedures. 4. Reboot device to activate new version.
🔧 Temporary Workarounds
Disable CFM functionality
allTemporarily disable Connectivity Fault Management if not required for network operations
configure
delete protocols oam ethernet connectivity-fault-management
commit
Implement network segmentation
allRestrict CFM traffic to trusted sources using ACLs or firewall rules
🧯 If You Can't Patch
- Implement strict network access controls to limit adjacent device access
- Monitor cfmman memory usage and restart devices when RSS grows excessively
🔍 How to Verify
Check if Vulnerable:
Check version with 'show version' and compare against affected versions listCheck Version:
show versionVerify Fix Applied:
Verify version is patched with 'show version' and monitor cfmman memory usage with 'show system processes node fpc<num> detail | match cfmman'📡 Detection & Monitoring
Log Indicators:
- FPC crash/restart logs
- High CPU utilization alerts for cfmd process
- Memory allocation failures
Network Indicators:
- Unusual CFM traffic patterns from adjacent devices
- Increased CFM protocol activity
SIEM Query:
Process monitoring for cfmman RSS memory growth over time, threshold alerts for memory > 1GB