"Juniper Junos OS CVE-2025-21593: Malformed SRv6 BGP Update Crashes rpd"

Juniper Networks disclosed CVE-2025-21593 on January 9, 2025, in its 2025-01 security bulletin for Junos OS and Junos OS Evolved. The flaw lets an unauthenticated, network-adjacent attacker crash the routing protocol daemon (rpd) on devices that have SRv6 (Segment Routing over IPv6) enabled. Because rpd carries all of a device's routing state, a crash is a meaningful event for any router in a service-provider core or large enterprise backbone. This post covers what is confirmed by the vendor advisory and public CVE records, who is affected, and how to remediate.
What happened
The vulnerability is an Improper Control of a Resource Through its Lifetime issue (CWE-664) in the rpd process. On a Junos device with SRv6 configured, a specially crafted BGP UPDATE packet causes rpd to crash and restart. If an attacker keeps sending the malformed updates, rpd keeps crashing, producing a sustained denial-of-service (DoS) condition.
A few details from the advisory matter for risk scoping:
- The condition is reachable over both iBGP and eBGP.
- It affects both IPv4 and IPv6 address families.
- SRv6 must be enabled for the device to be exposed. Devices without SRv6 configured are not affected by this specific issue.
No code execution or data exposure is involved; the impact is availability only. For routing infrastructure, that is still a serious outcome.
Affected products and versions
The issue affects both Junos OS and Junos OS Evolved across multiple release trains. The table reflects the version boundaries in Juniper's 2025-01 bulletin. "Affected" means versions earlier than the listed fixed release within that train.
| Product | Affected | Fixed |
|---|---|---|
| Junos OS (21.2 train) | All versions before 21.2R3-S9 | 21.2R3-S9 |
| Junos OS (21.4 train) | 21.4 before 21.4R3-S10 | 21.4R3-S10 |
| Junos OS (22.2 train) | 22.2 before 22.2R3-S5 | 22.2R3-S5 |
| Junos OS (22.3 train) | 22.3 before 22.3R3-S4 | 22.3R3-S4 |
| Junos OS (22.4 train) | 22.4 before 22.4R3-S3 | 22.4R3-S3 |
| Junos OS (23.2 train) | 23.2 before 23.2R2-S2 | 23.2R2-S2 |
| Junos OS (23.4 train) | 23.4 before 23.4R2 | 23.4R2 |
| Junos OS Evolved (21.2 train) | All versions before 21.2R3-S9-EVO | 21.2R3-S9-EVO |
| Junos OS Evolved (21.4 train) | 21.4-EVO before 21.4R3-S10-EVO | 21.4R3-S10-EVO |
| Junos OS Evolved (22.2 train) | 22.2-EVO before 22.2R3-S5-EVO | 22.2R3-S5-EVO |
| Junos OS Evolved (22.3 train) | 22.3-EVO before 22.3R3-S4-EVO | 22.3R3-S4-EVO |
| Junos OS Evolved (22.4 train) | 22.4-EVO before 22.4R3-S3-EVO | 22.4R3-S3-EVO |
| Junos OS Evolved (23.2 train) | 23.2-EVO before 23.2R2-S2-EVO | 23.2R2-S2-EVO |
| Junos OS Evolved (23.4 train) | 23.4-EVO before 23.4R2-EVO | 23.4R2-EVO |
Always confirm the fixed release for your exact platform and train against the live Juniper bulletin before scheduling a maintenance window, since vendors occasionally revise service-release targets.
How serious is it
The CVE record lists a CVSS 3.1 base score of 6.5 (Medium) with the vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and a CVSS 4.0 base score of 7.1 (High). The vectors are consistent: no authentication or user interaction is required, the impact is entirely on availability, and the attack vector is Adjacent (AV:A) rather than fully remote across the open internet.
On exploitation status: as of this writing, CVE-2025-21593 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and we have found no credible reports of active exploitation in the wild. That lowers immediate urgency relative to a KEV-listed flaw, but does not eliminate the risk. The combination of "unauthenticated" and "sustained DoS on the routing plane" makes this a patch-soon item for any operator running SRv6.
Am I exposed?
Three questions decide your exposure:
- Are you running an affected Junos OS or Junos OS Evolved release? Check with
show versionand compare against the table above. - Is SRv6 enabled? If SRv6 is not configured anywhere on the device, this particular vulnerability does not apply. SRv6 is most common in service-provider cores and large transport networks; many enterprise and campus deployments do not run it.
- Who can send you BGP updates? Because the issue is reachable over eBGP as well as iBGP, exposure is broader than a purely internal peering design. Review which peers can reach the device's BGP listeners and whether any sit outside your trust boundary.
If you answer "affected version," "SRv6 enabled," and "BGP peers present," treat the device as exposed and prioritize remediation.
How to fix it
Upgrade to a fixed release. Juniper's remediation is to move to the patched service release for your train, as listed above (for example, 22.4R3-S3 / 22.4R3-S3-EVO, or 23.4R2 / 23.4R2-EVO). The bulletin states there are no known workarounds for this issue, so patching is the primary fix.
Interim risk reduction while you schedule the upgrade:
- Constrain BGP exposure. Apply firewall filters / control-plane protection (lo0 filters) to limit which sources can reach the device's BGP listeners, and restrict sessions to known, authenticated peers.
- Harden BGP inputs. Maintain strict inbound route policy and prefix limits on every peer so malformed updates have the smallest possible blast radius.
- Reconsider SRv6 scope. If SRv6 is enabled on a device that does not require it, disabling that feature removes the precondition for this vulnerability. Validate the impact on your routing design first.
- Monitor rpd. Watch for unexpected rpd restarts or core files, an indicator of attempted exploitation.
Treat the interim steps as defense-in-depth, not a substitute for the upgrade.
How Uniqcli helps
Uniqcli is an authorized reseller for HPE, HPE Aruba Networking, and HPE Juniper Networking, and we support federal, SLED, healthcare, and enterprise customers end to end on advisories like this one. We can:
- Assess your exposure by reviewing your Junos OS / Junos OS Evolved inventory, identifying SRv6-enabled devices, and flagging which platforms need the patched service release.
- Plan and support the upgrade, including identifying the correct fixed version per platform and train and sequencing maintenance windows to protect routing availability.
- Source patched or replacement hardware where an in-place upgrade is not viable, including end-of-life platforms that should be refreshed.
- Procure through your preferred vehicle, with TAA-compliant options and purchasing via GSA and SEWP for public-sector buyers.
If you operate SRv6 on Juniper and want help confirming whether CVE-2025-21593 affects you, reach out to the Uniqcli team and we will scope it with you.
Sources
- Juniper 2025-01 Security Bulletin: Junos OS and Junos OS Evolved (CVE-2025-21593)
- NVD - CVE-2025-21593
- CVE Record: CVE-2025-21593 (cve.org)
- Vulnerability-Lookup: CVE-2025-21593 (CIRCL)
- GovCERT.HK Security Alert (A25-01-06): Multiple Vulnerabilities in Juniper Networks Products
- CISA Known Exploited Vulnerabilities Catalog