CVE-2025-21590 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-03-12

Added to CISA KEV: 2025-03-13 1 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity, examine shell access logs
Immediately upgrade to fixed Junos OS versions: 21.2R3-S9, 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 23.4R2-S4, 24.2R1-S2, 24.2R2, or 24.4R1+
Restrict shell access to trusted users only as recommended by Juniper
Monitor for suspicious shell activity and privilege escalation attempts
Review and audit administrative access to network devices
Patch priority: URGENT due to CISA KEV listing and active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-21590 is a critical vulnerability in the kernel of Juniper Networks' Junos OS, characterized as an "Improper Isolation or Compartmentalization" flaw ^[2] ^[5].

Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability has been exploited in the wild ^[1].
Threat Actor: It has been linked to the China-nexus threat actor known as UNC3886 as part of a campaign referred to as "RedPenguin" ^[1].
Nature of Attacks: The flaw was used to install persistent, stealthy rootkits on carrier-grade routers, effectively turning network infrastructure into platforms for espionage ^[1]. It is important to note that the initial discovery of the vulnerability by Amazon was the result of internal security research, not exploitation ^[3].

Attack Method and Requirements

Access Level: Exploitation requires a local attacker with high privileges who already has access to the device's shell ^[2] ^[5].
Exploitation Vector: The vulnerability is not exploitable via the Junos CLI ^[2].
Mechanism: Successful exploitation allows an attacker to bypass the Veriexec integrity subsystem, enabling the injection and execution of arbitrary code ^[1].

Impact

Successful exploitation results in the compromise of the device's integrity ^[2]. By bypassing integrity checks, attackers can maintain persistence and operate stealthily within the network infrastructure ^[1].

Affected Versions and Mitigation

Juniper Networks released security updates to address this issue. The vulnerability affects various versions of Junos OS, including but not limited to:

All versions before 21.2R3-S9
21.4 versions before 21.4R3-S10
22.2 versions before 22.2R3-S6
22.4 versions before 22.4R3-S6
23.2 versions before 23.2R2-S3 (and others in the 23.x branch) ^[4]

Users are advised to consult the official [Juniper Networks Security Bulletin](https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-Bulletin-Junos-OS-A-local-attacker-with-shell-access-can-execute-arbitrary-code-CVE-2025-21590) for the complete list of affected versions and to apply the necessary patches.

Sources

CVE-2025-21590: The RedPenguin Kernel Bypass - CVEReports
A critical improper isolation vulnerability in the Juniper Networks Junos OS kernel allows local attackers to bypass the Veriexec integrity subsystem. Exploited in the wild by the China-nexus threat actor UNC3886 as part of the RedPenguin campaign, this flaw enables the installation of persistent, s…
CVE-2025-21590 Detail - NVD
A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device. This issue is not exploitable from the Junos ... CVE-2025-21590 Detail Description An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos O…
2025-03 Out-of-Cycle Security Bulletin: Junos OS: A local attacker ...
2025-03 Out-of-Cycle Security Bulletin: Junos OS: A local attacker with shell access can execute arbitrary code (CVE-2025-21590). Article ID ... Related Information CVE-2025-21590 Acknowledgements Juniper SIRT would like to acknowledge and thank Matteo Memelli from Amazon for responsibly reporting t…
An Improper Isolation or Compartmentalization... · CVE-2025-21590 ...
A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device. This issue is not exploitable from the Junos CLI. This issue affects Junos OS: All versions before 21.2R3-S9, 21.4 versions before 21.4R3-S10, 22.2 versions before 22.2R3-S6, 22.4 vers…
CVE-2025-21590: Deep Dive into the Junos OS Improper Isolation...
CVE-2025-21590 is an Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks' Junos OS. This vulnerability allows a local attacker with high privileges to execute arbitrary code, compromising the integrity of the affected device.Google Cloud Blog: Ghost in the Rout…

🟢 CVE-2025-21590