Skip to content
Uniqcli

"Juniper Junos OS CVE-2025-21601: Unauthenticated CPU-Exhaustion DoS via Web Management"

NewsUniqcli TeamJune 4, 20266 min read
"Juniper Junos OS CVE-2025-21601: Unauthenticated CPU-Exhaustion DoS via Web Management"

Juniper disclosed CVE-2025-21601, a denial-of-service vulnerability in the web-management stack of Junos OS, in its April 2025 security advisories. Genuine, well-formed network traffic to enabled web-management services can drive CPU utilization up until the device stops responding. There is no exploit code, no privilege requirement, and no user interaction needed, which makes this worth acting on even though it does not result in code execution or data theft.

This post lays out exactly what is affected, what the fixed versions are, how to tell whether you are exposed, and how to remediate, citing Juniper's PSIRT bulletin and the NVD record so you can verify every detail.

What happened

Juniper Networks published a security bulletin (CVE-2025-21601) describing an "Improper Following of Specification by Caller" weakness (CWE-573) in the web-management components of Junos OS. The affected services are J-Web, Captive Portal, 802.1X, and Juniper Secure Connect (JSC), all of which run through the device's httpd process.

When one of these services is enabled, an unauthenticated, network-based attacker can send legitimate-looking packets that the device processes inefficiently. The result is a steady CPU climb that, if sustained, makes the device unresponsive, a classic resource-exhaustion denial of service. Because the traffic is "genuine" rather than malformed, perimeter filtering that only looks for obviously bad packets may not catch it.

Affected products and versions

The vulnerability affects Junos OS on the following platforms when web management is enabled for the relevant services. The version data below comes directly from the NVD record and Juniper's advisory.

Product Affected Fixed
Junos OS (SRX Series, EX Series, MX240/MX480/MX960, QFX5120 Series) All versions before 21.4R3-S9 21.4R3-S9
Junos OS 22.2 before 22.2R3-S5 22.2R3-S5
Junos OS 22.4 before 22.4R3-S4 22.4R3-S4
Junos OS 23.2 before 23.2R2-S3 23.2R2-S3
Junos OS 23.4 before 23.4R2-S3 23.4R2-S3
Junos OS 24.2 before 24.2R1-S1 and 24.2R2 24.2R1-S1, 24.2R2

Note that the platform scope is specific: this advisory names the SRX Series, EX Series, the MX240/MX480/MX960 chassis, and the QFX5120 Series. Other MX or QFX models are not listed in this particular bulletin. If you run a mixed Juniper fleet, confirm each model against the advisory rather than assuming the whole family is in scope.

How serious is it

NVD scores CVE-2025-21601 as CVSS 3.1 base 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and also publishes a CVSS 4.0 base of 8.7 (High). The score reflects a high availability impact with no confidentiality or integrity impact: this is purely a "knock the box over" flaw, not a path to admin access or data exfiltration.

On exploitation status: as of this writing, CVE-2025-21601 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and we found no public reporting of active exploitation in the wild. That is good news, but the absence of confirmed attacks should not be read as "safe to defer." The vulnerability is unauthenticated and network-reachable, the affected platforms (SRX firewalls, EX switches, MX edge routers) are often internet-facing or sit at trust boundaries, and a DoS against any of them can take down a site. Treat it as a serious availability risk and patch on your normal-but-prompt cadence.

Am I exposed?

You are potentially exposed if both of these are true:

  1. You run an affected Junos OS version on an SRX, EX, MX240/MX480/MX960, or QFX5120 device (see the table above).
  2. One or more of the affected web-management services is enabled: J-Web, Captive Portal, 802.1X, or Juniper Secure Connect.

To check the running version, use show version on the device. To see whether web management or J-Web is enabled, inspect your configuration for system services web-management and the related Captive Portal, 802.1X, and Juniper Secure Connect stanzas. Devices where these services are reachable from untrusted networks, especially the internet or guest segments, carry the highest risk. Exposure is significantly lower if web management is bound only to a management VRF or restricted to a small set of trusted source addresses.

How to fix it

Patch. The definitive fix is to upgrade to a fixed Junos OS release for your train: 21.4R3-S9, 22.2R3-S5, 22.4R3-S4, 23.2R2-S3, 23.4R2-S3, 24.2R1-S1, or 24.2R2 (or any later release). Match the fixed version to the train you currently run, and validate the upgrade path in your change-management process before deploying to production firewalls or edge routers.

Interim mitigations if you cannot patch immediately:

  • Restrict access to web management. Limit which source addresses can reach J-Web, Captive Portal, 802.1X, and Juniper Secure Connect, for example with firewall filters / loopback lockdown so only trusted management hosts can connect.
  • Disable unused web-management services. If you do not actively use J-Web, Captive Portal, or JSC, disabling them removes the attack surface entirely on those devices.
  • Keep management off untrusted networks. Ensure these services are not exposed to the internet or to guest/user segments; bind management to a dedicated, isolated network where possible.

These mitigations reduce who can reach the vulnerable code, but they are stopgaps. Upgrading to a fixed release remains the only complete remediation.

How Uniqcli helps

Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, and we work with federal, SLED, healthcare, and enterprise teams on exactly this kind of remediation:

  • Assess exposure. We can help inventory your Juniper fleet, identify which SRX, EX, MX, and QFX5120 devices run affected Junos OS versions, and confirm which web-management services are enabled and reachable.
  • Source patched or replacement hardware. If devices are end-of-support, cannot take a fixed release, or need to be refreshed as part of the fix, we can quote and supply current, supportable Juniper platforms.
  • Support the upgrade. We can help plan the Junos OS upgrade path and interim mitigations so you minimize downtime on production edge and security devices.
  • Compliant procurement. We support TAA-compliant, GSA, and SEWP procurement paths for public-sector and regulated buyers.

If you want a hand scoping your CVE-2025-21601 exposure or sourcing patched hardware, reach out to the Uniqcli team.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL