Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Veriexec bypass and arbitrary code injection in Juniper Junos OS kernel

IdentifiersCVE-2025-21590CWE-653· Improper Isolation or…

CVE-2025-21590 is an improper isolation or compartmentalization flaw in the Juniper Networks Junos OS kernel. According to the provided content, a local attacker with high privileges and shell access can inject arbitrary code into the memory of legitimate processes on affected devices, bypassing Junos OS Veriexec protections intended to prevent unauthorized binary execution. The issue is explicitly stated to be exploitable from the shell, not from the Junos CLI. Mandiant reporting in the provided context ties the flaw to UNC3886 activity on Juniper MX routers, where the actor used the technique to inject malicious code into legitimate process memory and perform local memory patching of Junos daemons such as snmpd and mgd.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation compromises the integrity of the affected device. The attacker can bypass Veriexec enforcement, inject malicious code into legitimate processes, and execute unauthorized functionality within trusted process context. In the observed threat activity described in the content, this enabled stealthy malware execution, modification of Junos daemons, inhibition of logging, and sustained malicious operations on compromised Juniper devices.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by preventing unauthorized shell access, tightly restricting and monitoring privileged account use, and auditing for unexpected entry into the underlying FreeBSD shell. Because the issue is not exploitable from the Junos CLI and requires local high-privilege shell access, hardening management access paths, limiting root-level access, and monitoring for process-memory patching or anomalous modifications to daemons such as snmpd and mgd may reduce risk. The provided content specifically recommends use of JMRT Quick Scan and Integrity Check to identify compromise.

Remediation

Patch, then assume compromise.

Upgrade Junos OS to a fixed release. The provided content states affected versions are all releases before 21.2R3-S9; 21.4 before 21.4R3-S10; 22.2 before 22.2R3-S6; 22.4 before 22.4R3-S6; 23.2 before 23.2R2-S3; 23.4 before 23.4R2-S4; and 24.2 before 24.2R1-S2 and 24.2R2. The content also notes Juniper released updated images and updated signatures for the Juniper Malware Removal Tool (JMRT), and recommends upgrading to the latest Juniper images followed by JMRT Quick Scan and Integrity Check.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Juniper NetworksJunoshardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
cybersecurity diveNews
Mar 6, 2026
Nearly half of exploited zero-day flaws target enterprise-grade technology | Cybersecurity Dive

An improper isolation flaw affecting Juniper MX routers that was exploited by UNC3886 in a notable 2025 zero-day campaign.

Read more
cso onlineNews
Oct 20, 2025
Network security devices endanger orgs with ’90s era flaws

An arbitrary code execution vulnerability in Juniper MX Series routers.

Read more
mitre attack websiteNews
Mar 22, 2023
UNC3886, Group G1048 | MITRE ATT&CK®

A Junos OS vulnerability exploited to bypass Veriexec protections and enable malicious code injection into legitimate processes.

Read more
mitre attack websiteNews
Aug 7, 2017
Process Injection, Technique T1055 - Enterprise | MITRE ATT&CK®

A specific vulnerability exploited by UNC3886 during RedPenguin to enable malicious code injection into legitimate process memory.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-21590
NVD
nvd.nist.gov/vuln/detail/CVE-2025-21590
MITRE CWE · CWE-653
Improper Isolation or Compartmentalization
Vendor Advisory
supportportal.juniper.net/JSA93446
Third Party Advisory
cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590