EN

CVE-2025-21594

High
7.5
0.05.010.0
Year
2025
Published
Apr 9, 2025
Known Affected Devices
0
CVSS Score
7.5

What is CVE-2025-21594?

An Improper Check for Unusual or Exceptional Conditions vulnerability in the pfe (packet forwarding engine) of Juniper Networks Junos OS on MX Series causes a port within a pool to be blocked leading to Denial of Service (DoS). In a DS-Lite (Dual-Stack Lite) and NAT (Network Address Translation) scenario, when crafted IPv6 traffic is received and prefix-length is set to 56, the ports assigned to the user will not be freed.  Eventually, users cannot establish new connections. Affected FPC/PIC need to be manually restarted to recover. Following is the command to identify the issue:      user@host> show services nat source port-block      Host_IP                     External_IP                   Port_Block      Ports_Used/       Block_State/                                                               Range           Ports_Total       Left_Time(s)     2001::                        x.x.x.x                     58880-59391     256/256*1         Active/-       >>>>>>>>port still usedThis issue affects Junos OS on MX Series:  * from 21.2 before 21.2R3-S8,  * from 21.4 before 21.4R3-S7,  * from 22.1 before 22.1R3-S6,  * from 22.2 before 22.2R3-S4,  * from 22.3 before 22.3R3-S3,  * from 22.4 before 22.4R3-S2,  * from 23.2 before 23.2R2-S1,  * from 23.4 before 23.4R1-S2, 23.4R2. This issue does not affect versions before 20.2R1.

CVSS Vector Breakdown

CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV
Attack Vector
Network

Exploitable remotely over the network without requiring access to the local system.

AC
Attack Complexity
Low

No special conditions required. Exploit can be performed reliably and repeatedly.

PR
Privileges Required
None

No authentication required. Any anonymous user can exploit this vulnerability.

UI
User Interaction
None

No user interaction required. Exploit runs without any victim action.

S
Scope
Unchanged

Exploiting the vulnerability only affects the vulnerable component itself.

C
Confidentiality Impact
None

No confidentiality impact. Sensitive data is not exposed.

I
Integrity Impact
None

No integrity impact. Data cannot be modified.

A
Availability Impact
High

Complete denial of service. The component becomes fully unavailable.

Known Affected Devices

Juniper Networks Juniper ACX1000 Juniper Networks Juniper EX2300-24P Juniper Networks Juniper EX2300-C-12P

FAQ

How severe is CVE-2025-21594?

CVE-2025-21594 has a CVSS score of 7.5/10, rated as High. This is a high severity vulnerability and should be patched as soon as possible.

What does the CVSS score mean for CVE-2025-21594?

CVSS (Common Vulnerability Scoring System) rates vulnerability severity from 0.0 to 10.0. CVE-2025-21594 scores 7.5/10 (High). Scores 9.0–10.0 are Critical, 7.0–8.9 are High, 4.0–6.9 are Medium, and below 4.0 are Low.

Which devices are affected by CVE-2025-21594?

The list of devices confirmed to be affected by CVE-2025-21594 is shown in the "Affected Devices" section above. Check your firmware version against the vendor security advisory and apply the latest patch.

How do I fix or mitigate CVE-2025-21594?

Apply the latest firmware or software update from the vendor. Check the References section above for official advisories and patch notes. If no patch is available, consider disabling the affected feature or isolating the device from untrusted networks.