Skip to content
Uniqcli

"Juniper Junos OS CVE-2025-21590: Exploited by UNC3886 on EOL MX Routers — CISA KEV, Patch Now"

NewsUniqcli TeamJune 6, 20267 min read
"Juniper Junos OS CVE-2025-21590: Exploited by UNC3886 on EOL MX Routers — CISA KEV, Patch Now"

A China-nexus espionage group used a flaw in the Junos OS kernel to plant stealthy backdoors on Juniper routers — many of them already past end-of-life. CVE-2025-21590 is now in CISA's Known Exploited Vulnerabilities catalog, which means it carried a binding federal remediation deadline. If you run Junos-based routers, here is what the vulnerability is, how to confirm exposure, and exactly which releases close it.

What happened

In March 2025, Google's Mandiant disclosed an intrusion campaign in which the China-nexus actor tracked as UNC3886 deployed custom backdoors on Juniper Networks MX routers running Junos OS. The activity relied on a kernel weakness now cataloged as CVE-2025-21590.

Junos OS uses a feature called Veriexec — a kernel-based file integrity subsystem that is designed to prevent unauthorized or tampered binaries from executing. UNC3886 circumvented that protection not by modifying files on disk, but by injecting malicious code into the memory of a legitimate, already-trusted process. Because the code ran inside a process Veriexec had already blessed, the integrity check was effectively bypassed, and the attackers were able to run their payloads.

Juniper published an out-of-cycle Security Bulletin (JSA93446) and patched releases. The same day Juniper's advisory landed, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog. Mandiant reported that the actor installed multiple TinyShell-based backdoors on compromised devices, several of which were running end-of-life hardware and software — a recurring theme in router-targeting campaigns, because legacy gear is rarely monitored and slow to patch.

Affected products and versions

The vulnerability affects Junos OS. Juniper's bulletin describes it as exploited in the wild and resolved in the releases below. Confirm your platform against Juniper's JSA93446 before scheduling work — the bulletin is the authoritative source for your specific chassis.

Product Affected Fixed
Junos OS (pre-21.2) All versions before 21.2R3-S9 21.2R3-S9
Junos OS 21.4 Before 21.4R3-S10 21.4R3-S10
Junos OS 22.2 Before 22.2R3-S6 22.2R3-S6
Junos OS 22.4 Before 22.4R3-S6 22.4R3-S6
Junos OS 23.2 Before 23.2R2-S3 23.2R2-S3
Junos OS 23.4 Before 23.4R2-S4 23.4R2-S4
Junos OS 24.2 Before 24.2R1-S2, 24.2R2 24.2R1-S2, 24.2R2

Releases 24.4R1 and all subsequent releases also contain the fix. Mandiant's reporting and CISA's KEV entry both note that exploitation was observed on devices running unsupported, end-of-life Junos versions and hardware — gear that, by definition, will never receive these patches.

How serious is it

The scoring tells a more nuanced story than the headlines. NVD rates CVE-2025-21590 as CVSS 4.4 (Medium) using CVSS 3.1, with the vector AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N. Juniper, as the CNA, scores it 6.7 (Medium) under the newer CVSS 4.0 framework (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/...). Both agree it is a local, high-privilege, integrity-impact issue — classified under CWE-653 (Improper Isolation or Compartmentalization).

What elevates a "medium" to an urgent priority is the rest of the picture. The flaw was added to the CISA KEV catalog on March 13, 2025, with a remediation due date of April 3, 2025 for U.S. federal civilian agencies under BOD 22-01. KEV inclusion means CISA has confirmed active exploitation in the wild — here, by a sophisticated state-aligned actor (UNC3886) using it as one link in a chain to establish persistent, hard-to-detect access on core network infrastructure.

The vector requires local shell access with high privileges, so this is not a remote, internet-facing pre-auth bug. In practice, UNC3886 used it post-compromise to defeat Veriexec and maintain stealthy persistence — exactly the kind of capability that turns an initial foothold into a long-term presence on a router that sees all your traffic.

Am I exposed?

Work through these questions:

  • Do you run Junos OS? This affects Junos OS routers; the campaign specifically targeted MX series routers, but verify your platform and release against JSA93446.
  • What release are you on? Check with show version. If your release predates the fixed version for your train (see the table), you are affected.
  • Is any device end-of-life? EOL hardware and software cannot be patched. UNC3886 specifically operated on unsupported gear. Inventory anything past Juniper's end-of-support dates and treat it as a standing liability.
  • Who has shell access? Because exploitation requires privileged shell access, audit which accounts can reach the Junos shell and how that access is granted and logged.
  • Any signs of compromise? Juniper's bulletin references updated anti-malware/IoC guidance, and Mandiant published indicators for the TinyShell-based backdoors. If you suspect exposure on an EOL device, assume it may have been targeted and investigate before simply patching over it.

How to fix it

  1. Upgrade to a fixed release. Move to the patched version for your train: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2 / 24.2R2, 24.4R1, or any later release. Always confirm the correct target for your exact platform in JSA93446.
  2. Interim mitigation if you cannot patch immediately. Juniper's recommended mitigation is to restrict shell access to trusted users only. Because the vulnerability is only reachable through privileged shell access — not the Junos CLI — tightly limiting and auditing who can reach the shell materially reduces risk until you can upgrade.
  3. Run Juniper's malware/IoC checks. Apply the updated anti-malware signatures and threat-hunting guidance referenced in the bulletin and in Mandiant's reporting, especially on any device you suspect was reachable by the attacker.
  4. Replace end-of-life devices. No patch exists for EOL hardware or unsupported Junos releases. The only durable fix for that gear is migration to supported, currently-patched platforms.

How Uniqcli helps

Uniqcli is an authorized reseller for HPE, HPE Aruba Networking, and HPE Juniper Networking, and we support federal, SLED, healthcare, and enterprise customers through the upgrade-or-replace decision this advisory forces.

  • Assess exposure. We help you inventory your Junos fleet, map each device's current release against JSA93446, and flag end-of-life routers that cannot be patched and need to be replaced.
  • Source patched and replacement hardware. Whether you are upgrading software on supported chassis or retiring EOL gear, we can quote and supply current, supportable Juniper platforms.
  • Support the upgrade. We help plan and stage the move to a fixed Junos release with minimal disruption to production routing.
  • Compliant procurement. For public-sector buyers, we transact through TAA-compliant, GSA, and SEWP channels so remediation purchases meet your acquisition requirements.

If you operate Junos routers — especially anything near or past end-of-life — reach out and we will help you close CVE-2025-21590 and put a supportable refresh plan in place.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL