CVE-2025-60004

Q: What is the severity of CVE-2025-60004?

CVE-2025-60004 has a CVSS score of 7.5 (HIGH). An unauthenticated network attacker can cause a denial-of-service by sending a specific BGP EVPN update message to Juniper Junos OS and Junos OS Evolved devices, crashing the routing protocol daemon. This affects both iBGP and eBGP sessions over IPv4 and IPv6. Systems running affected versions of Junos OS and Junos OS Evolved are vulnerable even without BGP EVPN configuration.

7.5 HIGH

Denial of Service

📋 TL;DR

An unauthenticated network attacker can cause a denial-of-service by sending a specific BGP EVPN update message to Juniper Junos OS and Junos OS Evolved devices, crashing the routing protocol daemon. This affects both iBGP and eBGP sessions over IPv4 and IPv6. Systems running affected versions of Junos OS and Junos OS Evolved are vulnerable even without BGP EVPN configuration.

💻 Affected Systems

Products:

Juniper Junos OS
Juniper Junos OS Evolved

Versions: Junos OS: 23.4R2-S3 to before 23.4R2-S5, 24.2R2 to before 24.2R2-S1, before 24.4R1-S3 and 24.4R2. Junos OS Evolved: 23.4R2-S2-EVO to before 23.4R2-S5-EVO, 24.2R2-EVO to before 24.2R2-S1-EVO, before 24.4R1-S3-EVO and 24.4R2-EVO.

Operating Systems: Junos OS, Junos OS Evolved

Default Config Vulnerable: ⚠️ Yes

Notes: BGP EVPN configuration is not required for vulnerability. Only vulnerable if peers can send BGP EVPN updates to affected device.

📦 What is this software?

Junos by Juniper

Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...

Learn more about Junos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained attacks could cause repeated rpd crashes leading to extended network outages, routing instability, and potential cascading failures in critical infrastructure.

🟠

Likely Case

Intermittent routing daemon crashes causing temporary network disruptions, route flapping, and increased management overhead.

🟢

If Mitigated

With proper network segmentation and BGP session controls, impact is limited to isolated network segments with minimal service disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific BGP EVPN update over established BGP session. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Junos OS: 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2. Junos OS Evolved: 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO.

Vendor Advisory: https://supportportal.juniper.net/JSA103165

Restart Required: Yes

Instructions:

1. Download appropriate patch from Juniper support portal. 2. Apply patch using 'request system software add' command. 3. Reboot device to complete installation. 4. Verify patch installation with 'show version' command.

🔧 Temporary Workarounds

BGP Session Filtering

all

Configure BGP sessions to reject EVPN updates using route policies or prefix lists.

set policy-options policy-statement REJECT-EVPN term 1 from protocol evpn
set policy-options policy-statement REJECT-EVPN term 1 then reject
set protocols bgp group <group-name> import REJECT-EVPN

BGP Session Hardening

all

Implement BGP session authentication and limit BGP peers to trusted sources only.

set protocols bgp group <group-name> authentication-key <key>
set protocols bgp group <group-name> neighbor <ip> description "Trusted Peer"

🧯 If You Can't Patch

Implement strict BGP session controls to limit exposure to trusted peers only.
Deploy network monitoring to detect abnormal BGP EVPN traffic and rpd crashes.

🔍 How to Verify

Check if Vulnerable:

Check current Junos version with 'show version' and compare against affected versions list.

Check Version:

show version

Verify Fix Applied:

Verify installed version is patched with 'show version' and check for rpd stability after applying fix.

📡 Detection & Monitoring

Log Indicators:

rpd crash messages in system logs
BGP session flaps
EVPN update rejection logs

Network Indicators:

Unusual BGP EVPN traffic patterns
BGP session resets from untrusted sources

SIEM Query:

source="junos" AND ("rpd" AND "crash") OR ("BGP" AND "EVPN" AND "update")

📊 Metadata

CVE ID: CVE-2025-60004

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-754

EPSS Score: 0.08% exploit probability (23.9th percentile)

Published: October 9, 2025

Last Updated: January 23, 2026

🔗 References

https://supportportal.juniper.net/JSA103165 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

BGP Session Filtering

BGP Session Hardening

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities