Juniper Junos OS Vulnerability (CVE-2025-52953) Enables BGP-Based Denial of Service: Patch Now to Protect Your Network
14th July 2025, Kathmandu
A newly disclosed vulnerability in Juniper Networks’ Junos OS and Junos OS Evolved poses a serious threat to network stability. Tracked as CVE-2025-52953, this medium-severity flaw allows unauthenticated adjacent attackers to initiate a persistent Denial of Service (DoS) by sending specially crafted BGP UPDATE packets.
Juniper Junos OS Vulnerability Enables
Overview of CVE-2025-52953
Discovered during routine production testing, the flaw resides in the routing protocol daemon (rpd) component of Junos OS and Junos OS Evolved. It is detailed in Juniper Security Bulletin JSA100059, published and last updated on July 9, 2025.
This Expected Behavior Violation allows attackers with access to adjacent networks to send legitimate but malicious BGP UPDATE messages, which trigger BGP session resets. If exploited repeatedly, this results in sustained routing outages and traffic blackholing for both IPv4 and IPv6 networks.
Severity Ratings
CVSS v3.1 Score: 6.5 (Medium)
CVSS v4.0 Score: 7.1 (Medium-High)
Despite the medium rating, the potential for network-wide disruption makes this vulnerability a high-priority concern for organizations relying on BGP for internal (iBGP) or external (eBGP) routing.
Affected Versions
Junos OS
Versions before:
21.2R3-S9
21.4R3-S11
22.2R3-S7
22.4R3-S7
23.2R2-S4
23.4R2-S4
24.2R2
24.4R1-S3 or 24.4R2
Junos OS Evolved
Versions before:
22.2R3-S7-EVO
22.4R3-S7-EVO
23.2R2-S4-EVO
23.4R2-S4-EVO
24.2R2-EVO
24.4R1-S3-EVO or 24.4R2-EVO
Key Impact: IPv6 VPN Unicast Configurations
This vulnerability is especially critical for networks supporting IPv6 VPN unicast address families in iBGP and eBGP. A successful exploit causes continuous BGP session resets, leading to service outages, route flapping, and network instability.
No Workaround Available – Immediate Patching Required
Juniper Networks has not identified any workaround for CVE-2025-52953. However, patched software versions have been released and are available for download via the Juniper Support Portal.
Network administrators are urged to:
Review their BGP configurations for IPv6 VPN unicast support.
Apply the patched versions immediately to prevent potential service disruptions.
Monitor bug ID 1855477 for updates and remediation progress.
No Active Exploitation Detected (Yet)
As of now, Juniper SIRT reports no known in-the-wild exploitation of this vulnerability. However, due to its ease of exploitation and potentially widespread impact, timely mitigation is essential.
Final Thoughts
Organizations using Junos OS or Junos OS Evolved should consider CVE-2025-52953 a high operational risk, especially in data centers, enterprise backbones, and service provider networks. A proactive approach — through version upgrades and careful configuration reviews — can ensure continued network resilience and stability.
For more: Juniper Junos OS Vulnerability Enables
