CVE-2025-60007

EUVD-2026-2703

15.01.2026, 21:16

A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS).


When a user executes the 'show chassis' command with specifically crafted options, chassisd will crash and restart. Due to this all components but the Routing Engine (RE) in the chassis are reinitialized, which leads to a complete service outage, which the system automatically recovers from.



This issue affects:

Junos OS on MX, SRX and EX Series: 



  *  all versions before 22.4R3-S8,
  *  23.2 versions before 23.2R2-S5,
  *  23.4 versions before 23.4R2-S6,
  *  24.2 versions before 24.2R2-S2,
  *  24.4 versions before 24.4R2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
juniper	CNA	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
juniper	junos	𝑥 < 22.4
juniper	junos	22.4
juniper	junos	22.4:r1
juniper	junos	22.4:r1-s1
juniper	junos	22.4:r1-s2
juniper	junos	22.4:r2
juniper	junos	22.4:r2-s1
juniper	junos	22.4:r2-s2
juniper	junos	22.4:r3
juniper	junos	22.4:r3-s1
juniper	junos	22.4:r3-s2
juniper	junos	22.4:r3-s3
juniper	junos	22.4:r3-s4
juniper	junos	22.4:r3-s5
juniper	junos	22.4:r3-s6
juniper	junos	22.4:r3-s7
juniper	junos	23.2
juniper	junos	23.2:r1
juniper	junos	23.2:r1-s1
juniper	junos	23.2:r1-s2
juniper	junos	23.2:r2
juniper	junos	23.2:r2-s1
juniper	junos	23.2:r2-s2
juniper	junos	23.2:r2-s3
juniper	junos	23.2:r2-s4
juniper	junos	23.4
juniper	junos	23.4:r1
juniper	junos	23.4:r1-s1
juniper	junos	23.4:r1-s2
juniper	junos	23.4:r2
juniper	junos	23.4:r2-s1
juniper	junos	23.4:r2-s2
juniper	junos	23.4:r2-s3
juniper	junos	23.4:r2-s4
juniper	junos	23.4:r2-s5
juniper	junos	24.2
juniper	junos	24.2:r1
juniper	junos	24.2:r1-s1
juniper	junos	24.2:r1-s2
juniper	junos	24.2:r2
juniper	junos	24.2:r2-s1
juniper	junos	24.4
juniper	junos	24.4:r1
juniper	junos	24.4:r1-s2
juniper	junos	24.4:r1-s3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://kb.juniper.net/JSA103173

https://supportportal.juniper.net/