Skip to content
Uniqcli

"Juniper Junos OS CVE-2025-30646: Malformed LLDP TLV Crashes l2cpd"

NewsUniqcli TeamJune 3, 20266 min read
"Juniper Junos OS CVE-2025-30646: Malformed LLDP TLV Crashes l2cpd"

Juniper Networks disclosed CVE-2025-30646 in its April 2025 security bulletin cycle. It is a denial-of-service (DoS) flaw in the Layer 2 Control Protocol daemon (l2cpd) on Junos OS and Junos OS Evolved. An unauthenticated, network-adjacent attacker can crash the daemon with a single malformed LLDP TLV. This post walks through what is confirmed, who is affected, and the exact remediation, with sources at the bottom so you can verify everything yourself.

What happened

The Link Layer Discovery Protocol (LLDP) is a Layer 2 protocol that network devices use to advertise their identity and capabilities to directly connected neighbors. LLDP messages are built from Type-Length-Value (TLV) structures.

CVE-2025-30646 is a Signed to Unsigned Conversion Error in the l2cpd process, which handles LLDP and other Layer 2 control protocols on Junos. According to Juniper's advisory and the NVD record, when an LLDP telemetry subscription is active, receipt of a specifically malformed LLDP TLV causes l2cpd to crash and restart. Because the attacker only needs to be on an adjacent (directly connected) network segment and does not need credentials, repeated delivery of the malformed packet creates a sustained DoS condition: the daemon crashes, restarts, and crashes again as long as the traffic keeps arriving.

This is a Layer 2 control-plane availability issue. There is no indication in the advisory that it leads to code execution, data disclosure, or configuration tampering — the impact is loss of availability.

Affected products and versions

The flaw affects both Junos OS and Junos OS Evolved across multiple release trains. The fixed releases below are the versions Juniper identifies as resolving the issue. Always confirm the exact fixed build for your platform against the Juniper bulletin before scheduling an upgrade.

Product Affected Fixed
Junos OS All versions before 21.2R3-S9 21.2R3-S9
Junos OS 21.4 before 21.4R3-S10 21.4R3-S10
Junos OS 22.2 before 22.2R3-S6 22.2R3-S6
Junos OS 22.4 before 22.4R3-S6 22.4R3-S6
Junos OS 23.2 before 23.2R2-S3 23.2R2-S3
Junos OS 23.4 before 23.4R2-S4 23.4R2-S4
Junos OS 24.2 before 24.2R2 24.2R2
Junos OS Evolved All versions before 21.4R3-S10-EVO 21.4R3-S10-EVO
Junos OS Evolved 22.2-EVO before 22.2R3-S6-EVO 22.2R3-S6-EVO
Junos OS Evolved 22.4-EVO before 22.4R3-S6-EVO 22.4R3-S6-EVO
Junos OS Evolved 23.2-EVO before 23.2R2-S3-EVO 23.2R2-S3-EVO
Junos OS Evolved 23.4-EVO before 23.4R2-S4-EVO 23.4R2-S4-EVO
Junos OS Evolved 24.2-EVO before 24.2R2-EVO 24.2R2-EVO

Subsequent service releases and later trains (for example 24.4 and newer) are not listed as affected. If you run a release not shown here, check the Juniper bulletin directly to confirm your status rather than assuming.

How serious is it

Juniper, acting as the CVE Numbering Authority, and the NVD record assign the following scores:

  • CVSS 4.0: 7.1 (High) — vector CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
  • CVSS 3.1: 6.5 (Medium) — vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

The vectors tell a consistent story: adjacent attack vector (AV:A), low complexity (AC:L), no privileges and no user interaction required (PR:N/UI:N), with the entire impact on availability (VA:H / A:H) and none on confidentiality or integrity.

On exploitation status: as of this writing, CVE-2025-30646 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and we found no public reporting of active exploitation in the wild. (A separate, unrelated Junos flaw, CVE-2025-21590, was added to KEV earlier in 2025 — do not confuse the two.) The absence of known exploitation lowers urgency relative to a KEV-listed bug, but the low attack complexity and lack of authentication mean this should still be remediated on a normal-to-expedited patch schedule, especially on devices exposed to untrusted Layer 2 adjacencies.

Am I exposed?

You are potentially exposed if all of the following are true:

  • You run a Junos OS or Junos OS Evolved release listed in the affected table above.
  • LLDP is enabled, and an LLDP telemetry subscription is active (the condition the advisory ties the crash to).
  • An untrusted device can reach the affected interface at Layer 2 — for example a shared switching fabric, a multi-tenant access layer, a lab or DMZ segment, or any port where you do not fully control the neighbor.

The risk is highest in environments where the attacker-adjacency assumption is weak: campus access switches with user-facing ports, co-location or shared fabrics, and any segment where a compromised or rogue host could sit one hop away. Core and tightly controlled links where every neighbor is trusted carry lower practical risk, though they are still technically affected.

To check your running version, use show version (Junos OS) or the equivalent on Junos OS Evolved, and review whether LLDP and LLDP telemetry are configured.

How to fix it

Patch. Upgrade to the fixed release for your train as listed in the table above (for example 21.2R3-S9, 22.4R3-S6, 23.4R2-S4, 24.2R2, or the matching -EVO builds for Junos OS Evolved). Patching is the only complete fix.

Interim mitigations until you can schedule the upgrade:

  • Where LLDP is not required, disabling LLDP — or the LLDP telemetry subscription specifically — removes the trigger condition described in the advisory.
  • Restrict Layer 2 adjacency on at-risk ports. Limiting which devices can connect to user-facing or shared segments reduces the population of potential attackers, since the flaw requires adjacency.
  • Treat these as risk-reduction steps, not a substitute for patching. Confirm any configuration change against Juniper's bulletin and your own change-control process before applying it in production.

As always, validate the target image against your hardware and current configuration, stage the upgrade in a maintenance window, and have a rollback plan.

How Uniqcli helps

Uniqcli is an authorized reseller for HPE, HPE Aruba Networking, and HPE Juniper Networking, and we support US federal, SLED, healthcare, and enterprise customers. For CVE-2025-30646 we can:

  • Assess exposure — inventory your Junos OS and Junos OS Evolved fleet, map running versions against the affected/fixed table, and flag devices where LLDP telemetry and untrusted Layer 2 adjacency raise practical risk.
  • Source patched and replacement hardware — supply current, supported Juniper platforms and the right software entitlements so you can move to a fixed release, and replace end-of-support gear that can no longer take patches.
  • Support the upgrade — help plan staged rollouts, maintenance windows, and rollback so remediation does not introduce new outages.

We procure through TAA-compliant, GSA, and SEWP channels, which keeps the path straightforward for federal and SLED buyers. If you want help scoping your exposure or sourcing patched hardware, reach out to the Uniqcli team.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL