CVE-2025-21601

Name of the Vulnerable Software and Affected Versions: Junos OS versions prior to 21.4R3-S9 Junos OS versions 22.2 prior to 22.2R3-S5 Junos OS versions 22.4 prior to 22.4R3-S4 Junos OS versions 23.2 prior to 23.2R2-S3 Junos OS versions 23.4 prior to 23.4R2-S3 Junos OS versions 24.2 prior to 24.2R1-S1, 24.2R2

Description: An Improper Following of Specification by Caller vulnerability in web management of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause the CPU to climb until the device becomes unresponsive, creating a sustained Denial of Service (DoS) condition. This can be achieved by sending genuine traffic targeted to the device. An indicator of compromise is a high CPU percentage of the httpd process, which can be reviewed in the CLI using the command show system processes extensive | match httpd.

Recommendations: For versions prior to 21.4R3-S9, update to version 21.4R3-S9 or later. For versions 22.2 prior to 22.2R3-S5, update to version 22.2R3-S5 or later. For versions 22.4 prior to 22.4R3-S4, update to version 22.4R3-S4 or later. For versions 23.2 prior to 23.2R2-S3, update to version 23.2R2-S3 or later. For versions 23.4 prior to 23.4R2-S3, update to version 23.4R2-S3 or later. For versions 24.2 prior to 24.2R1-S1, 24.2R2, update to a version that includes the fix for this issue. As a temporary workaround, consider monitoring the CPU usage of the httpd process to quickly identify potential exploitation attempts.