CVE-2025-21590

4.42.42%

CVE-2025-21590: The Ghost in the Juniper Kernel

Alon Barad

Software Engineer

Jan 6, 2026·6 min read·16 visits

Active ExploitationCISA KEV Listed

Executive Summary (TL;DR)

CVE-2025-21590 is a 'God Mode' switch for Juniper Junos OS. While it requires high privileges (root shell) to trigger, it allows attackers to break out of user-space confinement and write arbitrary code directly into the kernel. This flaw was weaponized by UNC3886 to disable security logging, hide processes, and maintain persistent, invisible control over carrier-grade routers. The official CVSS is a misleadingly low 4.4, masking the catastrophic reality of this post-exploitation capability.

A deep-dive into how China-nexus actors turned high-privilege shell access into invisible kernel persistence on Juniper devices. This vulnerability demonstrates a critical failure in kernel-user space isolation, allowing attackers to overwrite the operating system itself.

Official Patches

Juniper NetworksOfficial Security Advisory JSA93446

Technical Appendix

CVSS Score

4.4/ 10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

2.42%

Top 15% most exploited

Affected Systems

Juniper MX Series RoutersJuniper SRX Series FirewallsJuniper EX Series Switches

Affected Versions Detail

Product	Affected Versions	Fixed Version
Junos OS Juniper	< 21.2R3-S9	21.2R3-S9
Junos OS 23.4 Juniper	< 23.4R2-S4	23.4R2-S4
Junos OS 24.2 Juniper	< 24.2R1-S2	24.2R1-S2

Attribute	Detail
CWE	CWE-653 (Improper Isolation)
CVSS v3.1	4.4 (Medium)
Attack Vector	Local (Shell Access)
Privileges Required	High (Root)
Integrity Impact	High (Kernel Modification)
EPSS Score	2.42%
KEV Status	Listed (Active Exploitation)

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation

Privilege Escalation

T1014Rootkit

Defense Evasion

T1562.001Impair Defenses: Disable or Modify Tools

Defense Evasion

CWE-653

Improper Isolation or Compartmentalization

The product does not properly isolate or compartmentalize elements, which can allow an attacker to access sensitive information or modify the system state.

Known Exploits & Detection

MandiantAnalysis of UNC3886 usage of the exploit in the wild.

Vulnerability Timeline

CVE Published by Juniper

2025-03-12

Added to CISA KEV Catalog

2025-03-13

Last Modified Date

2025-10-24

CVE-2025-21590

4.42.42%

CVE-2025-21590: The Ghost in the Juniper Kernel

Alon Barad

Software Engineer

Jan 6, 2026·6 min read·16 visits

Active ExploitationCISA KEV Listed

Executive Summary (TL;DR)

Attack Flow Diagram

Official Patches

Juniper NetworksOfficial Security Advisory JSA93446

Technical Appendix

CVSS Score

4.4/ 10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

2.42%

Top 15% most exploited

Affected Systems

Juniper MX Series RoutersJuniper SRX Series FirewallsJuniper EX Series Switches

Affected Versions Detail

Product	Affected Versions	Fixed Version
Junos OS Juniper	< 21.2R3-S9	21.2R3-S9
Junos OS 23.4 Juniper	< 23.4R2-S4	23.4R2-S4
Junos OS 24.2 Juniper	< 24.2R1-S2	24.2R1-S2

Attribute	Detail
CWE	CWE-653 (Improper Isolation)
CVSS v3.1	4.4 (Medium)
Attack Vector	Local (Shell Access)
Privileges Required	High (Root)
Integrity Impact	High (Kernel Modification)
EPSS Score	2.42%
KEV Status	Listed (Active Exploitation)

MITRE ATT&CK Mapping

T1068Exploitation for Privilege Escalation

Privilege Escalation

T1014Rootkit

Defense Evasion

T1562.001Impair Defenses: Disable or Modify Tools

Defense Evasion

CWE-653

Improper Isolation or Compartmentalization

The product does not properly isolate or compartmentalize elements, which can allow an attacker to access sensitive information or modify the system state.

Known Exploits & Detection

MandiantAnalysis of UNC3886 usage of the exploit in the wild.

Vulnerability Timeline

CVE Published by Juniper

2025-03-12

Added to CISA KEV Catalog

2025-03-13

Last Modified Date

2025-10-24