FKIE_CVE-2025-52985

Vulnerability from fkie_nvd - Published: 2025-07-11 16:15 - Updated: 2025-07-18 08:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
A Use of Incorrect Operator vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions. When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more than 10 entries, the prefix list doesn't match and packets destined to or from the local device are not filtered. This issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output. This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes. This issue affects Junos OS Evolved: * 23.2R2-S3-EVO versions before 23.2R2-S4-EVO, * 23.4R2-S3-EVO versions before 23.4R2-S5-EVO, * 24.2R2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue doesn't affect Junos OS Evolved versions before 23.2R1-EVO.
References
sirt@juniper.nethttps://supportportal.juniper.net/JSA100091
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Use of Incorrect Operator\n\nvulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.\n\nWhen a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with \u0027from prefix-list\u0027, and that prefix list contains more than 10 entries, the prefix list doesn\u0027t match and packets destined to or from the local device are not filtered.\n\n\nThis issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.\nThis issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.\nThis issue affects Junos OS Evolved:\n\n  *  23.2R2-S3-EVO versions before 23.2R2-S4-EVO,\n  *  23.4R2-S3-EVO versions before 23.4R2-S5-EVO,\n  *  24.2R2-EVO versions before 24.2R2-S1-EVO,\n  *  24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.\n\n\nThis issue doesn\u0027t affect Junos OS Evolved versions before 23.2R1-EVO."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de uso de operador incorrecto en el firewall del motor de enrutamiento de Juniper Networks Junos OS Evolved permite a un atacante no autenticado basado en la red eludir las restricciones de seguridad. Cuando un filtro de firewall aplicado a la interfaz lo0 o re:mgmt hace referencia a una lista de prefijos con \"from prefix-list\", y dicha lista contiene m\u00e1s de 10 entradas, la lista de prefijos no coincide y los paquetes con destino o origen en el dispositivo local no se filtran. Este problema afecta a los filtros de firewall aplicados a las interfaces re:mgmt como entrada y salida, pero solo a los filtros de firewall aplicados a la interfaz lo0 como salida. Este problema es aplicable a IPv4 e IPv6, ya que una lista de prefijos puede contener prefijos de IPv4 e IPv6. Este problema afecta a Junos OS Evolved: * versiones 23.2R2-S3-EVO anteriores a 23.2R2-S4-EVO, * versiones 23.4R2-S3-EVO anteriores a 23.4R2-S5-EVO, * versiones 24.2R2-EVO anteriores a 24.2R2-S1-EVO, * versiones 24.4-EVO anteriores a 24.4R1-S3-EVO y 24.4R2-EVO. Este problema no afecta a las versiones de Junos OS Evolved anteriores a 23.2R1-EVO."
    }
  ],
  "id": "CVE-2025-52985",
  "lastModified": "2025-07-18T08:15:27.887",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "sirt@juniper.net",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "sirt@juniper.net",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-11T16:15:25.860",
  "references": [
    {
      "source": "sirt@juniper.net",
      "url": "https://supportportal.juniper.net/JSA100091"
    }
  ],
  "sourceIdentifier": "sirt@juniper.net",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-480"
        }
      ],
      "source": "sirt@juniper.net",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.