CVE-2025-52951
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-11

Last updated on: 2025-07-15

Assigner: Juniper Networks, Inc.

Description
A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic destined to the device to effectively bypass any firewall filtering configured on the interface. Due to an issue with Junos OS kernel filter processing, the 'payload-protocol' match is not being supported, causing any term containing itΒ to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an 'accept' for all traffic on the interface destined for the control plane, even when used in combination with other match criteria. This issue only affects firewall filters protecting the device's control plane. Transit firewall filtering is unaffected by this vulnerability. This issue affects Junos OS:Β  * all versions before 21.2R3-S9,Β  * from 21.4 before 21.4R3-S11,Β  * from 22.2 before 22.2R3-S7,Β  * from 22.4 before 22.4R3-S7,Β  * from 23.2 before 23.2R2-S4,Β  * from 23.4 before 23.4R2-S5,Β  * from 24.2 before 24.2R2-S1,Β  * from 24.4 before 24.4R1-S2, 24.4R2. This is a more complete fix for previously publishedΒ CVE-2024-21607 (JSA75748).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-11
Last Modified
2025-07-15
Generated
2026-05-07
AI Q&A
2025-07-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52951
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
juniper junos_os *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Protection Mechanism Failure in the kernel filter processing of Juniper Networks Junos OS. Specifically, the 'payload-protocol' match is not supported correctly, causing firewall filter terms containing it to accept all packets without applying any filtering. As a result, an attacker sending IPv6 traffic to an interface can bypass any firewall filtering configured on that interface.


How can this vulnerability impact me? :

This vulnerability allows an attacker to bypass firewall filtering on affected Junos OS interfaces by sending specially crafted IPv6 traffic. This means unauthorized traffic can pass through the firewall, potentially leading to exposure of internal network resources, unauthorized access, or other security breaches.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart