CVE-2025-52985
📋 TL;DR
A Juniper Junos OS Evolved firewall filter vulnerability allows unauthenticated network attackers to bypass security restrictions when prefix lists with more than 10 entries are used. This affects firewall filters applied to management and loopback interfaces, potentially allowing unauthorized access to or from the local device. Only specific versions of Junos OS Evolved are affected.
💻 Affected Systems
- Juniper Networks Junos OS Evolved
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete firewall bypass for traffic to/from local device, allowing unauthorized access to management interfaces and potential device compromise.
Likely Case
Partial firewall bypass where certain traffic that should be blocked is allowed through, potentially exposing management services or allowing unauthorized communication.
If Mitigated
Limited impact if firewall filters are not applied to affected interfaces or if prefix lists contain 10 or fewer entries.
🎯 Exploit Status
Exploitation requires specific firewall filter configurations with prefix lists exceeding 10 entries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO
Vendor Advisory: https://supportportal.juniper.net/JSA100091
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate fixed version from Juniper support. 3. Install update following Juniper upgrade procedures. 4. Reboot device to apply changes.
🔧 Temporary Workarounds
Reduce prefix list entries
allModify firewall filters to use prefix lists with 10 or fewer entries on affected interfaces.
configure
edit firewall family inet prefix-list PL_NAME
delete entries beyond first 10
commit
Remove affected filters
allTemporarily remove firewall filters from lo0 and re:mgmt interfaces until patched.
configure
delete interfaces lo0 unit 0 family inet filter
delete interfaces re:mgmt unit 0 family inet filter
commit
🧯 If You Can't Patch
- Implement network segmentation to isolate affected devices from untrusted networks.
- Use additional firewall protections upstream to compensate for the bypass vulnerability.
🔍 How to Verify
Check if Vulnerable:
Check if firewall filters with prefix lists >10 entries are applied to lo0 or re:mgmt interfaces: 'show configuration interfaces lo0 | display set' and 'show configuration interfaces re:mgmt | display set'Check Version:
show version | match JunosVerify Fix Applied:
After patching, verify the fix by testing firewall filter functionality with prefix lists >10 entries on affected interfaces.📡 Detection & Monitoring
Log Indicators:
- Firewall filter match failures on lo0/re:mgmt interfaces
- Unexpected traffic allowed through firewall filters
Network Indicators:
- Traffic that should be blocked reaching management interfaces
- Unauthorized access attempts to local device services
SIEM Query:
firewall bypass OR prefix-list AND (lo0 OR re:mgmt) AND Junos