Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-52985

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
11/07/2025
Last modified:
11/07/2025

Description

A Use of Incorrect Operator<br /> <br /> vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.<br /> <br /> When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with &amp;#39;from prefix-list&amp;#39;, and that prefix list contains more than 10 entries, the prefix list doesn&amp;#39;t match and packets destined to or from the local device are not filtered.<br /> <br /> <br /> This issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.<br /> This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.<br /> This issue affects Junos OS Evolved:<br /> <br /> * 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,<br /> * 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,<br /> * 24.2R2-EVO versions before 24.2R2-S1-EVO,<br /> * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.<br /> <br /> <br /> This issue doesn&amp;#39;t not affect Junos OS Evolved versions before 23.2R1-EVO.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 6.90 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): Low
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0
6.90
Severity 4.0
MEDIUM
Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None

Base Score 3.x
5.30
Severity 3.x
MEDIUM

References to Advisories, Solutions, and Tools