Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-52989
Publication date:
11/07/2025
An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to modify the system configuration.<br /> <br /> <br /> <br /> A user with limited configuration and commit permissions, using a specifically crafted annotate configuration command, can change any part of the device configuration.<br /> <br /> <br /> <br /> <br /> This issue affects:<br /> <br />  Junos OS: <br /> <br /> <br /> <br /> * all versions before 22.2R3-S7,<br /> * 22.4 versions before 22.4R3-S7,<br /> * 23.2 versions before 23.2R2-S4,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2-S1,<br /> * 24.4 versions before 24.4R1-S2, 24.4R2;<br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S7-EVO,<br /> * 23.2-EVO versions before 23.2R2-S4-EVO,<br /> * 23.4-EVO versions before 23.4R2-S5-EVO, <br /> * 24.2-EVO versions before 24.2R2-S1-EVO<br /> <br /> <br /> <br /> * 24.4-EVO versions before 24.4R2-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025

CVE-2025-6549
Publication date:
11/07/2025
An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the <br /> <br /> Juniper Web Device Manager<br /> <br /> (J-Web).<br /> <br /> When Juniper Secure connect (JSC) is enabled on specific interfaces, or multiple interfaces are configured for J-Web, the J-Web UI is reachable over more than the intended interfaces.<br /> This issue affects Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.4R3-S9,<br /> * 22.2 versions before 22.2R3-S5,<br /> * 22.4 versions before 22.4R3-S5,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S5,<br /> * 24.2 versions before 24.2R2.
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025

CVE-2025-7026
Publication date:
11/07/2025
A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., &amp;#39;$DB$&amp;#39; or &amp;#39;2DB$&amp;#39;), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-52981
Publication date:
11/07/2025
An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3<br /> <br /> <br /> <br /> allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> If a sequence of specific PIM packets is received, this will cause a flowd crash and restart.<br /> <br /> <br /> This issue affects Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S11,<br /> * 22.2 versions before 22.2R3-S7,<br /> * 22.4 versions before 22.4R3-S6,<br /> * 23.2 versions before 23.2R2-S4,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> This is a similar, but different vulnerability than the issue reported as<br /> <br /> CVE-2024-47503, published in JSA88133.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-52982
Publication date:
11/07/2025
An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> When an MX Series device with an MS-MPC is configured with two or more service sets which are both processing SIP calls, a specific sequence of call events will lead to a crash and restart of the MS-MPC.<br /> This issue affects Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S9,<br /> * 21.4 versions from 21.4R1,<br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.4 versions before 22.4R3-S6.<br /> <br /> <br /> <br /> <br /> As the MS-MPC is EoL after Junos OS 22.4, later versions are not affected.<br /> <br /> This issue does not affect MX-SPC3 or SRX Series devices.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-52983
Publication date:
11/07/2025
A UI Discrepancy for Security Feature<br /> <br /> vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device.<br /> <br /> <br /> <br /> On VM Host Routing Engines (RE), even if the configured public key for root has been removed, remote users which are in possession of the corresponding private key can still log in as root.<br /> This issue affects Junos OS:<br /> <br /> <br /> <br /> * all versions before 22.2R3-S7,<br /> * 22.4 versions before 22.4R3-S5,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S3,<br /> * 24.2 versions before 24.2R1-S2, 24.2R2.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-52984
Publication date:
11/07/2025
A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device.<br /> <br /> When static route points to a reject next hop and a gNMI query is processed for that static route, rpd crashes and restarts.<br /> <br /> This issue affects:<br /> <br /> Junos OS:  * all versions before 21.2R3-S9,<br /> * 21.4 versions before 21.4R3-S10, <br /> * 22.2 versions before 22.2R3-S6,<br /> * 22.4 versions before 22.4R3-S6,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R1-S2, 24.2R2;<br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S7-EVO,<br /> * 23.2-EVO <br /> <br /> versions before 23.2R2-S3-EVO,<br /> * 23.4-EVO versions before 23.4R2-S4-EVO,<br /> * 24.2-EVO versions before 24.2R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-52985
Publication date:
11/07/2025
A Use of Incorrect Operator<br /> <br /> vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.<br /> <br /> When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with &amp;#39;from prefix-list&amp;#39;, and that prefix list contains more than 10 entries, the prefix list doesn&amp;#39;t match and packets destined to or from the local device are not filtered.<br /> <br /> <br /> This issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.<br /> This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.<br /> This issue affects Junos OS Evolved:<br /> <br /> * 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,<br /> * 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,<br /> * 24.2R2-EVO versions before 24.2R2-S1-EVO,<br /> * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.<br /> <br /> <br /> This issue doesn&amp;#39;t not affect Junos OS Evolved versions before 23.2R1-EVO.
Severity CVSS v4.0: MEDIUM
Last modification:
11/07/2025

CVE-2025-52980
Publication date:
11/07/2025
A Use of Incorrect Byte Ordering <br /> <br /> vulnerability <br /> <br /> in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS on SRX300 Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).<br /> <br /> <br /> <br /> When a BGP update is received over an established BGP session which contains a specific, valid, optional, transitive path attribute, rpd will crash and restart.<br /> <br /> This issue affects eBGP and iBGP over IPv4 and IPv6.<br /> <br /> <br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> <br /> <br /> * 22.1 versions from 22.1R1 before 22.2R3-S4,<br /> * 22.3 versions before 22.3R3-S3,<br /> * 22.4 versions before 22.4R3-S2,<br /> * 23.2 versions before 23.2R2,<br /> * 23.4 versions before 23.4R2.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-52994
Publication date:
11/07/2025
gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2025

CVE-2025-52953
Publication date:
11/07/2025
An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS). <br /> <br /> Continuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br /> <br /> This issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.<br /> <br /> This issue affects Junos OS:<br /> <br /> <br /> * All versions before 21.2R3-S9,<br /> * from 21.4 before 21.4R3-S11,<br /> * from 22.2 before 22.2R3-S7,<br /> * from 22.4 before 22.4R3-S7,<br /> * from 23.2 before 23.2R2-S4,<br /> * from 23.4 before 23.4R2-S4,<br /> * from 24.2 before 24.2R2,<br /> * from 24.4 before 24.4R1-S3, 24.4R2<br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * All versions before 22.2R3-S7-EVO,<br /> * from 22.4-EVO before 22.4R3-S7-EVO,<br /> * from 23.2-EVO before 23.2R2-S4-EVO,<br /> * from 23.4-EVO before 23.4R2-S4-EVO,<br /> * from 24.2-EVO before 24.2R2-EVO,<br /> * from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025

CVE-2025-52954
Publication date:
11/07/2025
A Missing Authorization vulnerability in the internal virtual routing and forwarding (VRF) of Juniper Networks Junos OS Evolved allows a local, low-privileged user to gain root privileges, leading to a system compromise.<br /> <br /> Any low-privileged user with the capability to send packets over the internal VRF can execute arbitrary Junos commands and modify the configuration, and thus compromise the system. <br /> <br /> This issue affects Junos OS Evolved: <br /> <br /> <br /> <br /> * All versions before 22.2R3-S7-EVO, <br /> * from 22.4 before 22.4R3-S7-EVO, <br /> * from 23.2 before 23.2R2-S4-EVO, <br /> * from 23.4 before 23.4R2-S5-EVO, <br /> * from 24.2 before 24.2R2-S1-EVO<br /> * from 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO.
Severity CVSS v4.0: HIGH
Last modification:
11/07/2025
Subscribe to Vulnerabilities