CISA has issued a warning regarding a newly discovered vulnerability affecting Juniper Networks’ Junos OS. The vulnerability, identified as CVE-2025-21590, involves an improper isolation or compartmentalization issue within the operating system’s kernel.
This flaw could allow a local attacker with high-level privileges to inject arbitrary code, potentially compromising the integrity of affected devices.
The vulnerability stems from improperly imposed security restrictions within Junos OS. An attacker with shell access could exploit this flaw to execute unauthorized code, leading to privilege escalation and system compromise.
It is important to note that the vulnerability is not exploitable through the Junos command-line interface (CLI), limiting the attack vector to those with significant system access.
Vulnerability Exploited by Chinese Hackers
Juniper Networks has released security advisories JSA93446 and JSA5385 to address the vulnerability and provide guidance to users.
The company recommends that users upgrade Junos OS to the releases detailed in JSA93446, which include patches for CVE-2025-21590 and updated anti-malware signatures.
Mandiant, a Google Cloud Security threat intelligence unit, uncovered a cyber espionage campaign, attributing it to a China-linked hacking group known as UNC3886, that targeted outdated Juniper routers by using sophisticated malware.
Mandiant’s research indicated that the attackers were exploiting end-of-life Juniper MX routers running older versions of Junos OS and were able to bypass the operating system’s Veriexec security subsystem by injecting malicious code into legitimate system processes.
Mandiant recommends that organizations upgrade all Juniper routers to supported versions with the latest security patches to prevent exploitation of known vulnerabilities.
They also advise implementing multi-factor authentication to strengthen authentication processes and enforce strict role-based access control to minimize the risk of unauthorized access.
CISA has added CVE-2025-21590 to its Known Exploited Vulnerabilities Catalog, emphasizing the significant risk it poses to the federal enterprise.
Binding Operational Directive (BOD) 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats. The due date for this vulnerability is April 3, 2025.
CISA strongly urges all organizations, including those outside the federal government, to prioritize timely remediation of catalog vulnerabilities to reduce their exposure to cyberattacks.
Juniper has released updated software releases to address the vulnerability. However, the company does not typically evaluate releases that have reached end-of-life.
While the complete list of affected platforms is still being investigated, Juniper recommends restricting shell access to trusted users only.
Organizations are advised to apply mitigations according to vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
By taking these steps, organizations can significantly reduce their risk of exploitation and protect their critical systems and data.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.