Skip to content
Uniqcli

"Juniper Junos OS CVE-2025-52960: SIP Packets Crash flowd/mspmand on SRX and MX"

NewsUniqcli TeamJune 2, 20266 min read
"Juniper Junos OS CVE-2025-52960: SIP Packets Crash flowd/mspmand on SRX and MX"

What happened

On October 8, 2025, Juniper Networks (now part of HPE) published a security bulletin for CVE-2025-52960, a denial-of-service vulnerability in the Session Initiation Protocol Application Layer Gateway (SIP ALG) of Junos OS running on SRX Series firewalls and MX Series routers.

The root cause is a classic buffer copy without checking the size of the input (CWE-120). When the SIP ALG processes specific SIP packets while the device is already in a high memory-utilization condition, the flaw corrupts memory and crashes the packet-forwarding daemon — flowd on SRX, mspmand on MX. The Flexible PIC Concentrator (FPC) processing the traffic restarts automatically, but if the triggering SIP packets keep arriving while utilization remains high, the crash repeats. The result is a sustained denial of service on the dataplane.

No authentication and no user interaction are required. The attack is network-reachable, but it depends on two real-world conditions: the SIP ALG must be in use, and the device must be under high memory pressure. That makes VoIP-heavy edge deployments — service-provider voice peering, contact centers, and enterprises that run SIP through their SRX or MX — the most realistic targets.

Affected products and versions

CVE-2025-52960 affects Junos OS on the SRX Series and MX Series. Per Juniper's bulletin and the NVD record, the affected and fixed release trains are:

Product Affected Fixed
Junos OS (SRX Series, MX Series) All versions before 22.4R3-S7 22.4R3-S7
Junos OS (SRX Series, MX Series) 23.2 before 23.2R2-S4 23.2R2-S4
Junos OS (SRX Series, MX Series) 23.4 before 23.4R2-S5 23.4R2-S5
Junos OS (SRX Series, MX Series) 24.2 before 24.2R2 24.2R2

These version boundaries are taken directly from Juniper's October 2025 bulletin and the NVD entry. If a release is not listed in the "fixed" column above and is older than the corresponding boundary, treat it as vulnerable until upgraded.

How serious is it

Juniper and NVD score CVE-2025-52960 as follows:

  • CVSS 4.0: 8.2 (High) — vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/RE:M
  • CVSS 3.1: 5.9 (Medium) — vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

The two scores reflect the same reality from different angles: the impact is availability-only (no data confidentiality or integrity loss), but a complete dataplane outage on a perimeter firewall or core router is a significant event. The CVSS 3.1 vector marks attack complexity as High because of the precondition (high memory utilization); CVSS 4.0 captures the same nuance in its attack-requirements and recovery metrics, which is why the headline number is higher.

On exploitation status: as of this writing, CVE-2025-52960 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and we found no public reporting or vendor statement indicating active exploitation in the wild. Juniper SIRT typically notes when it is aware of exploitation; no such notice accompanies this advisory. We will update this post if that changes — but the absence of confirmed exploitation is not a reason to defer patching a network-reachable DoS on edge infrastructure.

Am I exposed?

You are potentially affected if all of the following are true:

  1. The platform. You run an SRX Series firewall or an MX Series router. (Other Junos platforms are not named in this advisory.)
  2. The version. Your Junos OS release falls into one of the affected ranges in the table above. Check with show version.
  3. The SIP ALG is active. This vulnerability lives in the SIP ALG. If SIP ALG is not configured/enabled on the device, the specific code path cannot be triggered. On SRX, review your security ALG and security-zone configuration; SIP ALG is commonly enabled to handle VoIP traffic. You can inspect the running state with the relevant show security alg status operational command.

Devices that are exposed to untrusted networks and that process SIP for voice — SIP trunks, hosted PBX connectivity, contact-center media paths — carry the highest practical risk, especially if they routinely run hot on memory.

How to fix it

Primary remediation — upgrade Junos OS to the first fixed release for your train:

  • 22.4R3-S7 (or later) for any release before it
  • 23.2R2-S4 (or later)
  • 23.4R2-S5 (or later)
  • 24.2R2 (or later)

Pick the fixed release that matches your current train, or move to a later supported train. Validate the target release against your platform and feature set before deploying, and follow your standard change-control and upgrade-validation process.

Interim mitigation — reduce the SIP ALG attack surface. Where SIP ALG is not actually required, disabling it removes the vulnerable code path entirely. If SIP ALG is required for your VoIP traffic, restrict which sources can reach the SIP service through firewall filters / security policies and apply control-plane and zone-based protections so that only trusted SIP peers can deliver packets to the ALG. Monitoring memory utilization and addressing the conditions that drive the device into a high-utilization state also reduces the likelihood that the trigger condition is met. These are risk-reduction measures, not a substitute for the patched release — apply the upgrade as the durable fix. Confirm any configuration change against Juniper's bulletin and your own design before making it in production.

How Uniqcli helps

Uniqcli is an authorized reseller of HPE, HPE Aruba Networking, and HPE Juniper Networking, and we support US federal, SLED, healthcare, and enterprise customers end to end on advisories like this one:

  • Assess exposure. We help you inventory your SRX and MX fleet, identify which devices run affected Junos OS versions, and determine where the SIP ALG is in use so you can prioritize the units that actually carry risk.
  • Source the fix. We can quote and supply patched Junos OS upgrade paths and, where hardware refresh or capacity expansion is the better answer, source replacement SRX/MX hardware and current-generation HPE Juniper Networking platforms.
  • Support the upgrade. We coordinate maintenance windows, staging, and rollback planning so the move to a fixed release fits your change-control process with minimal disruption.
  • Compliant procurement. Everything is available through TAA-compliant, GSA, and SEWP vehicles, so federal and public-sector buyers can remediate without procurement friction.

If you operate Juniper SRX or MX at the edge and want a fast read on your exposure to CVE-2025-52960, contact Uniqcli and we will help you scope the assessment and the upgrade.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL