CVE-2025-21590
Published: 12 March 2025
Description
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.
Security Summary
CVE-2025-21590 is an Improper Isolation or Compartmentalization vulnerability (CWE-653) in the kernel of Juniper Networks Junos OS. It enables a local attacker with high privileges to compromise the integrity of the device by injecting arbitrary code. The issue affects Junos OS versions prior to 21.2R3-S9; 21.4 versions before 21.4R3-S10; 22.2 versions before 22.2R3-S6; 22.4 versions before 22.4R3-S6; 23.2 versions before 23.2R2-S3; 23.4 versions before 23.4R2-S4; and 24.2 versions before 24.2R1-S2 or 24.2R2. The vulnerability has a CVSS v3.1 base score of 4.4 (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N) and was published on 2025-03-12.
A local attacker with shell access and high privileges can exploit this vulnerability to inject arbitrary code, leading to device integrity compromise. Exploitation is not possible from the Junos CLI, requiring prior shell access, which limits the attack surface to scenarios where an attacker has already achieved elevated local access.
The Juniper advisory (JSA93446) details mitigation through upgrading to the fixed releases listed for each affected version branch. CISA has added CVE-2025-21590 to its Known Exploited Vulnerabilities catalog, indicating real-world exploitation.
A Google Cloud threat intelligence blog highlights China-nexus espionage activity targeting Juniper routers, providing notable context for this vulnerability in active threat campaigns.
Details
- CWE(s)
- KEV Date Added
- 13 March 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The kernel improper isolation vulnerability (CVE-2025-21590) allows a local privileged attacker with shell access to inject arbitrary code (shellcode loader and payloads) into legitimate processes like cat, bypassing Veriexec file integrity protections. This directly enables Process Injection (T1055).