CVE-2025-59958
📋 TL;DR
An unauthenticated network attacker can send specially crafted packets to PTX Series routers running vulnerable Junos OS Evolved versions, causing resource exhaustion on the Routing Engine and potential information disclosure. This affects PTX Series devices with output firewall filters containing 'reject' actions on WAN/revenue interfaces. Only Junos OS Evolved versions before 22.4R3-EVO and 23.2 versions before 23.2R2-EVO are vulnerable.
💻 Affected Systems
- Juniper Networks PTX Series routers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service on the Routing Engine, making the device unmanageable, plus disclosure of sensitive device information to attackers.
Likely Case
Degraded performance and intermittent management issues due to RE resource exhaustion, with potential information leakage about device configuration.
If Mitigated
Minimal impact if proper network segmentation and firewall rules prevent external access to vulnerable interfaces.
🎯 Exploit Status
Exploitation requires sending packets that match firewall filter terms with 'reject' actions. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4R3-EVO or later, 23.2R2-EVO or later
Vendor Advisory: https://supportportal.juniper.net/JSA103147
Restart Required: No
Instructions:
1. Download appropriate patch version from Juniper support portal. 2. Upload to device. 3. Install using 'request system software add' command. 4. Verify installation with 'show version'.
🔧 Temporary Workarounds
Remove or modify reject actions
allRemove 'reject' actions from output firewall filters on WAN/revenue interfaces or replace with 'discard' actions
show configuration firewall family inet
delete firewall family inet filter FILTER_NAME term TERM_NAME then reject
set firewall family inet filter FILTER_NAME term TERM_NAME then discard
Apply input filters instead
allUse input firewall filters instead of output filters where possible
set interfaces INTERFACE_NAME unit UNIT_NUMBER family inet filter input FILTER_NAME
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to vulnerable interfaces
- Monitor RE CPU utilization and implement rate limiting on suspicious traffic
🔍 How to Verify
Check if Vulnerable:
Check version with 'show version' and verify if output firewall filters with 'reject' actions exist on WAN/revenue interfaces using 'show configuration firewall'Check Version:
show version | match JunosVerify Fix Applied:
Verify version is 22.4R3-EVO or later, or 23.2R2-EVO or later with 'show version', and confirm no output filters with 'reject' actions remain📡 Detection & Monitoring
Log Indicators:
- High RE CPU utilization alerts
- Firewall reject log entries on output filters
- Resource exhaustion warnings
Network Indicators:
- Unexpected ICMP responses from routing engine
- Increased traffic to management interfaces
SIEM Query:
source="juniper-firewall" action="reject" direction="output"