Sergiu Gatlan@BleepingComputer
//
Cisco has addressed a critical denial-of-service (DoS) vulnerability, CVE-2025-20115, found in the Border Gateway Protocol (BGP) confederation implementation of its IOS XR Software. The vulnerability arises from a memory corruption flaw, specifically the improper handling of the AS_CONFED_SEQUENCE attribute within BGP update messages. An attacker can exploit this by injecting a crafted message containing 255 or more autonomous system numbers, leading to process instability and a potential BGP process restart.
Successful exploitation of this flaw allows unauthenticated attackers to crash the BGP process, disrupting network routing and potentially causing significant service outages. This is particularly concerning for large-scale networks using BGP confederation. The affected software versions include Cisco IOS XR Release 7.11 and earlier, Release 24.1 and earlier, Release 24.2 until version 24.2.21, and Release 24.3, which has been patched in version 24.3.1. The primary mitigation strategy is to apply the latest software update provided by Cisco.
Recommended read:
References :
- The DefendOps Diaries: Understanding the Cisco IOS XR Vulnerability: CVE-2025-20115
- BleepingComputer: Cisco vulnerability lets attackers crash BGP on IOS XR routers
- www.cysecurity.news: Cisco Warns of Critical Security Flaw in IOS XR Software – Immediate Update Recommended
- securityaffairs.com: Cisco IOS XR flaw allows attackers to crash BGP process on routers
- securityonline.info: Cisco Alerts on Public Disclosure of CVE-2025-20115 – BGP Flaw Puts Networks at Risk
- Rescana: The Cisco IOS XR Software Border Gateway Protocol (BGP) Confederation Denial of Service vulnerability , identified as...
- gbhackers.com: Cisco has issued a security advisory warning of a vulnerability in its IOS XR Software that could allow attackers to launch denial-of-service (DoS) attacks. Â The vulnerability, identified as CVE-2025-20115, affects the Border Gateway Protocol (BGP) confederation implementation. The CVE-2025-20115 vulnerability affects the Border Gateway Protocol (BGP) confederation implementation in Cisco IOS XR Software, potentially allowing
- bsky.app: Cisco has patched a denial of service (DoS) vulnerability that lets attackers crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message.
@Talkback Resources
//
Juniper Networks has addressed a critical authentication bypass vulnerability, identified as CVE-2025-21589, affecting its Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Router products. The vulnerability allows a network-based attacker to bypass authentication and gain administrative control over affected devices. The severity of the flaw is highlighted by its critical CVSS score of 9.8.
Juniper has released updated software versions to mitigate this issue, including SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, and SSR-6.3.3-r2, advising users to upgrade their affected systems promptly. For conductor-managed deployments, upgrading only the Conductor nodes is sufficient, while WAN Assurance users connected to the Mist Cloud have already received automatic patches. It was found through internal security testing.
Recommended read:
References :
- securityaffairs.com: Juniper Networks fixed a critical flaw in Session Smart Routers
- Talkback Resources: Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication [exp] [net]
- securityonline.info: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers
- securityonline.info: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers
- The Hacker News: Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication
- www.bleepingcomputer.com: Juniper Patches Critical Auth Bypass in Session Smart Routers
- www.heise.de: Juniper Session Smart Router: Security leak enables takeover
- Vulnerability-Lookup: Vulnerability ncsc-2025-0062 has received a comment on Vulnerability-Lookup: 2025-02: Out-of-Cycle Security Bulletin: Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass Vulnerability (CVE-2025-21589)
- BleepingComputer: Infosec Exchange Post: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- socradar.io: Security Flaws in OpenSSH and Juniper Networks Demand Action (CVE-2025-26465, CVE-2025-26466, and CVE-2025-21589)
- Talkback Resources: CVE-2025-21589 (CVSS 9.8): Critical Authentication Bypass Flaw in Juniper Session Smart Routers [app] [net]
- BleepingComputer: ​Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- Anonymous ???????? :af:: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- cyble.com: Major Security Flaw in Juniper Networks Routers: How to Protect Your Systems
Sergiu Gatlan@BleepingComputer
//
Cybersecurity agencies from the Five Eyes alliance, including the UK, Australia, Canada, New Zealand, and the U.S., have jointly released new guidance aimed at enhancing the security of network edge devices. The advisory urges manufacturers of these devices and appliances to improve forensic visibility, thereby empowering defenders to more effectively detect and investigate cyberattacks and data breaches. Network edge devices, such as firewalls, routers, VPN gateways, internet-facing servers, and IoT devices, are frequently targeted by both state-sponsored and financially motivated threat actors.
Such devices are often targeted to infiltrate critical infrastructure networks and systems. By improving forensic visibility, organizations can achieve quicker detection and response to security incidents, mitigating potential damage and downtime. The guidance is intended for both device manufacturers and critical infrastructure owners and operators. Additional resources and detailed information can be found on the websites of the participating cyber agencies, including those of Australia, Canada, the UK, and the US.
Recommended read:
References :
- BleepingComputer: InfoSec Exchange - Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the U.S. have issued guidance urging makers of network edge devices and appliances to improve forensic visibility to help defenders detect attacks and investigate breaches.
- BleepingComputer: Cyber agencies share security guidance for network edge devices
- bsky.app: InfoSec Exchange - Cyber agencies from the Five Eyes, Australia, Canada, New Zealand, the UK, and the US, released guidance on securing network edge devices
- www.bleepingcomputer.com: Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the U.S. have issued guidance urging makers of network edge devices and appliances to improve forensic visibility to help defenders detect attacks and investigate breaches.
- bsky.app: Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the U.S. have issued guidance urging makers of network edge devices and appliances to improve forensic visibility to help defenders detect attacks and investigate breaches. https://www.bleepingcomputer.com/news/security/cyber-agencies-share-security-guidance-for-network-edge-devices/
- www.securityweek.com: SecurityWeek - Five Eyes Agencies Release Guidance on Securing Edge Devices
- www.cyber.gc.ca: Cyber agencies from the Five Eyes, Australia, Canada, New Zealand, the UK, and the US, released guidance on securing network edge devices
- SecurityWeek: Five Eyes agencies release guidance on securing edge devices
- Krypt3ia: The UK’s leading cybersecurity agency and its Five Eyes peers have produced new guidance for manufacturers of edge devices designed to improve baseline security.
@www.helpnetsecurity.com
//
A sophisticated cyberattack campaign, dubbed "J-Magic," has been targeting enterprise-grade Juniper routers since mid-2023, with activity observed until at least mid-2024. This stealthy operation uses custom-crafted "magic packets" to trigger a variant of the cd00r backdoor. Once activated, the malware establishes a reverse shell, granting attackers full access to the compromised devices. This allows for data exfiltration, device control, and the deployment of further malicious payloads. The malware operates by passively monitoring network traffic for specific TCP packets, designed to trigger the backdoor. This technique enables the threat actors to gain a strong foothold in enterprise networks by using routers that often serve as VPN gateways.
The "J-Magic" malware primarily focuses on routers within the semiconductor, energy, manufacturing, and IT sectors, particularly in Europe and South America. The malware is installed into the device's memory which scans for five network signals, and when it receives these, it triggers a reverse shell creation on the local file system. This allows for complete device takeover. The malware uses a unique RSA-based challenge-response mechanism to prevent unauthorized access, and while it shares some similarities with the "SeaSpy" malware family, the challenge implementation signifies a step up in operational security. The campaign appears to be targeting Junos OS, commonly used in enterprise-grade networking equipment and it has been noted that many of the compromised routers were acting as VPN gateways, which allows for lateral movement within the network.
Recommended read:
References :
- www.scworld.com: Malware campaign targeting enterprise Juniper routers.
- blog.lumen.com: Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed "J-magic". This backdoor is opened by a passive agent that continuously monitors for a "magic packet," sent by the attacker in TCP traffic.
- cyberpress.org: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- www.bleepingcomputer.com: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- www.helpnetsecurity.com: A stealthy attack campaign turned Juniper enterprise-grade routers into entry points to corporate networks via the “J-magic� backdoor, which is loaded into the devices’ memory and spawns a reverse shell when instructed to do so.
- gbhackers.com: Juniper routers exploited via Magic Packet vulnerability to deploy custom backdoor
- : Black Lotus Labs : The Black Lotus Labs team reports on a backdoor attack tailored for use against enterprise-grade Juniper routers in a campaign dubbed 'J-magic'.
- Cyber Security News: Juniper Routers Magic Packet Vulnerability Exploited to Deliver Custom Backdoor
- gbhackers.com: Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- The Register: Unknown attackers have been secretly inserting backdoors into Juniper routers in key sectors since mid-2023, potentially compromising a large number of critical devices.
- Pyrzout :vm:: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- ciso2ciso.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet – Source: go.theregister.com
- Ars Technica: Backdoor infecting VPNs used “magic packets� for stealth and security J-Magic backdoor infected organizations in a wide array of industries.
- Ars OpenForum: Backdoor infecting VPNs used “magic packets� for stealth and security
- ciso2ciso.com: J-Magic malware campaign targets Juniper routers, using a passive agent to monitor network traffic for predefined "magic packets" to exploit.
- Pyrzout :vm:: J-magic malware campaign targets Juniper routers
- go.theregister.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Who could be so interested in chips, manufacturing, and more, in the US, UK, Europe, Russia... Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.…
- AAKL: Additional information about the Juniper router attack.
- Pyrzout :vm:: J-magic malware campaign targets Juniper routers – Source: securityaffairs.com
- The Hacker News: Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers
- Help Net Security: Juniper enterprise routers backdoored via "magic packet" malware
- securityaffairs.com: Threat actors are targeting Juniper routers with a custom backdoor in a campaign called "J-magic." Attackers exploit a "Magic Packet" flaw to deliver the malware.
- Threats | CyberScoop: Researchers at Black Lotus Labs have uncovered an operation where a back door is dropped onto enterprise-grade Juniper Networks routers and listens for specific network signals, known as “magic packets,� to execute malicious commands.
- BleepingComputer: A malicious campaign has been specifically targeting Juniper edge devices, many acting as VPN gateways, with malware dubbed J-magic that starts a reverse shell only if it detects a "magic packet" in the network traffic.
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
- The Register - Security: Initial report on the backdoor campaign
- aboutdfir.com: Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023. The devices were infected with what appears to be a variant of cd00r, a publicly available […] The post appeared first on .
|
|
FlagThis - #networksecurity