cve-2025-52985
Vulnerability from cvelistv5
Published
2025-07-11 15:09
Modified
2025-07-18 07:16
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS score ?
Summary
Junos OS Evolved: When a control-plane firewall filter refers to a prefix-list with more than 10 entries it's not matching
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Juniper Networks | Junos OS Evolved |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T16:04:44.130312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T19:55:16.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.2R2-S4-EVO",
"status": "affected",
"version": "23.2R2-S3-EVO",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S5-EVO",
"status": "affected",
"version": "23.4R2-S3-EVO",
"versionType": "semver"
},
{
"lessThan": "24.2R2-S1-EVO",
"status": "affected",
"version": "24.2R2-EVO",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3-EVO, 24.4R2-EVO",
"status": "affected",
"version": "24.4-EVO",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A system will only be affected by this vulnerability if like in the following example a\n\nfirewall filter applied to the lo0 or re:mgmt interface references a prefix list with the \u0027from prefix-list\u0027 clause, and that prefix list contains more than 10 entries:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e[ policy-options prefix-list \u0026lt;prefix-list name\u0026gt; \u0026lt;prefix1\u0026gt; ]\u003cbr\u003e...\u003cbr\u003e\n\n[ policy-options prefix-list \u0026lt;prefix-list name\u0026gt;\n\n\u0026lt;prefix11\u0026gt; ]\u003cbr\u003e...\u003cbr\u003e[ firewall family \u0026lt;inet/inet6\u0026gt; filter \u0026lt;filter name\u0026gt; term \u0026lt;term name\u0026gt; from prefix-list \n\n\u0026lt;prefix-list name\u0026gt;\n\n ]\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e[ interfaces \u0026lt;lo0 unit \u0026lt;unit\u0026gt; / re:mgmt\u0026lt;0/1\u0026gt; unit \n\n\u0026lt;unit\u0026gt;\u0026gt; family \u0026lt;inet/inet6\u0026gt; filter \u0026lt;input/output\u0026gt; \n\n\u0026lt;filter name\u0026gt;\n\n ]\u003c/span\u003e\u003c/tt\u003e"
}
],
"value": "A system will only be affected by this vulnerability if like in the following example a\n\nfirewall filter applied to the lo0 or re:mgmt interface references a prefix list with the \u0027from prefix-list\u0027 clause, and that prefix list contains more than 10 entries:\n\n[ policy-options prefix-list \u003cprefix-list name\u003e \u003cprefix1\u003e ]\n...\n\n\n[ policy-options prefix-list \u003cprefix-list name\u003e\n\n\u003cprefix11\u003e ]\n...\n[ firewall family \u003cinet/inet6\u003e filter \u003cfilter name\u003e term \u003cterm name\u003e from prefix-list \n\n\u003cprefix-list name\u003e\n\n ]\n[ interfaces \u003clo0 unit \u003cunit\u003e / re:mgmt\u003c0/1\u003e unit \n\n\u003cunit\u003e\u003e family \u003cinet/inet6\u003e filter \u003cinput/output\u003e \n\n\u003cfilter name\u003e\n\n ]"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A Use of Incorrect Operator\n\nvulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.\u003cbr\u003e\u003cbr\u003eWhen a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with \u0027from prefix-list\u0027, and that prefix list contains more than 10 entries, the prefix list doesn\u0027t match and packets destined to or from the local device are not filtered.\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.\u003c/span\u003e\u003cbr\u003eThis issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS Evolved:\u003c/p\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e23.2R2-S3-EVO versions before 23.2R2-S4-EVO,\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e23.4R2-S3-EVO versions before 23.4R2-S5-EVO,\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e24.2R2-EVO versions before 24.2R2-S1-EVO,\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/span\u003eThis issue doesn\u0027t affect Junos OS Evolved versions before 23.2R1-EVO."
}
],
"value": "A Use of Incorrect Operator\n\nvulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.\n\nWhen a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with \u0027from prefix-list\u0027, and that prefix list contains more than 10 entries, the prefix list doesn\u0027t match and packets destined to or from the local device are not filtered.\n\n\nThis issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.\nThis issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.\nThis issue affects Junos OS Evolved:\n\n * 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,\n * 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,\n * 24.2R2-EVO versions before 24.2R2-S1-EVO,\n * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.\n\n\nThis issue doesn\u0027t affect Junos OS Evolved versions before 23.2R1-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-480",
"description": "CWE-480 Use of Incorrect Operator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-18T07:16:09.464Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100091"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: 23.2R2-S4-EVO, 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases."
}
],
"source": {
"advisory": "JSA100091",
"defect": [
"1866334"
],
"discovery": "INTERNAL"
},
"title": "Junos OS Evolved: When a control-plane firewall filter refers to a prefix-list with more than 10 entries it\u0027s not matching",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A workaround for this issue is to refer to the prefix list either with\u0026nbsp;the \u0027source-prefix-list\u0027 or the \u0027destination-prefix-list\u0027 match condition (\u0027from\u0027)."
}
],
"value": "A workaround for this issue is to refer to the prefix list either with\u00a0the \u0027source-prefix-list\u0027 or the \u0027destination-prefix-list\u0027 match condition (\u0027from\u0027)."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52985",
"datePublished": "2025-07-11T15:09:58.361Z",
"dateReserved": "2025-06-23T18:23:44.546Z",
"dateUpdated": "2025-07-18T07:16:09.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-52985\",\"sourceIdentifier\":\"sirt@juniper.net\",\"published\":\"2025-07-11T16:15:25.860\",\"lastModified\":\"2025-07-18T08:15:27.887\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Use of Incorrect Operator\\n\\nvulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.\\n\\nWhen a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with \u0027from prefix-list\u0027, and that prefix list contains more than 10 entries, the prefix list doesn\u0027t match and packets destined to or from the local device are not filtered.\\n\\n\\nThis issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.\\nThis issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.\\nThis issue affects Junos OS Evolved:\\n\\n * 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,\\n * 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,\\n * 24.2R2-EVO versions before 24.2R2-S1-EVO,\\n * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.\\n\\n\\nThis issue doesn\u0027t affect Junos OS Evolved versions before 23.2R1-EVO.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de uso de operador incorrecto en el firewall del motor de enrutamiento de Juniper Networks Junos OS Evolved permite a un atacante no autenticado basado en la red eludir las restricciones de seguridad. Cuando un filtro de firewall aplicado a la interfaz lo0 o re:mgmt hace referencia a una lista de prefijos con \\\"from prefix-list\\\", y dicha lista contiene m\u00e1s de 10 entradas, la lista de prefijos no coincide y los paquetes con destino o origen en el dispositivo local no se filtran. Este problema afecta a los filtros de firewall aplicados a las interfaces re:mgmt como entrada y salida, pero solo a los filtros de firewall aplicados a la interfaz lo0 como salida. Este problema es aplicable a IPv4 e IPv6, ya que una lista de prefijos puede contener prefijos de IPv4 e IPv6. Este problema afecta a Junos OS Evolved: * versiones 23.2R2-S3-EVO anteriores a 23.2R2-S4-EVO, * versiones 23.4R2-S3-EVO anteriores a 23.4R2-S5-EVO, * versiones 24.2R2-EVO anteriores a 24.2R2-S1-EVO, * versiones 24.4-EVO anteriores a 24.4R1-S3-EVO y 24.4R2-EVO. Este problema no afecta a las versiones de Junos OS Evolved anteriores a 23.2R1-EVO.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"sirt@juniper.net\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"sirt@juniper.net\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"sirt@juniper.net\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-480\"}]}],\"references\":[{\"url\":\"https://supportportal.juniper.net/JSA100091\",\"source\":\"sirt@juniper.net\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.