- Juniper Networks has patched a vulnerability in its routers
- The flaw was being abused by Chinese threat actors
- Multiple devices were vulnerable
Juniper Networks has released a patch for a vulnerability that was being exploited in the wild to attack some of its router brands.
According to the company’s security advisory, the bug is an improper isolation, or compartmentalization weakness, and it’s tracked as CVE-2025-21590. It was given a severity score of 6.7 (medium).
The bug is used by Chinese hackers, who had been exploiting it since 2024 to backdoor vulnerable Juniper routers that reached end-of-life, a recent Madiant security report revealed.
Chinese hackers
“In mid 2024, Mandiant discovered threat actors deployed custom backdoors operating on Juniper Networks’ Junos OS routers,” the cybersecurity company explained. “Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL based backdoors operating on Juniper Networks’ Junos OS routers.”
UNC3886 was observed in the past targeting defense, technology, and telecommunications organizations with sophisticated malware, deployed through zero-day vulnerabilities.
It affects at least these models: NFX-Series, Virtual SRX, SRX-Series Branch, SRX-Series HE, EX-Series, QFX-Series, ACX, and MX-Series, however, Juniper Networks said that it is still investigating the vulnerability and that the full list could be different.
The bug can be exploited to allow local attackers with high privileges to run arbitrary code on the routers, and thus compromise them.
“At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT,” Juniper said in its advisory. “Customers are encouraged to upgrade to a fixed release as soon as it’s available and in the meantime take steps to mitigate this vulnerability.”
The issue was resolved in 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.
At the same time, CISA added the bug to its Known Exploited Vulnerabilities catalog (KEV), confirming reports of in-the-wild abuse, and giving Federal Civilian Executive Branch (FCEB) agencies three weeks to apply the patch, or stop using vulnerable solutions.
Via BleepingComputer
Leave a comment