Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2025-52961

Uncontrolled Resource Consumption

Published: Oct 09, 2025 | Modified: Oct 09, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Vulnerability-free packages from our partners
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-52961
CWEhttps://cwe.mitre.org/data/definitions/400.html

An Uncontrolled Resource Consumption vulnerability in the Connectivity Fault Management (CFM) daemon and the Connectivity Fault Management Manager (cfmman) of Juniper Networks Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).

An attacker on an adjacent device sending specific valid traffic can cause cfmd to spike the CPU to 100% and cfmmans memory to leak, eventually to cause the FPC crash and restart.

Continued receipt and processes of these specific valid packets will sustain the Denial of Service (DoS) condition.

An indicator of compromise is to watch for an increase in cfmman memory rising over time by issuing the following command and evaluating the RSS number. If the RSS is growing into GBs then consider restarting the device to temporarily clear memory.

  user@device> show system processes node fpc detail | match cfmman

Example: 

  show system processes node fpc0 detail | match cfmman    F S UID       PID       PPID PGID   SID   C PRI NI  ADDR SZ    WCHAN   RSS     PSR STIME TTY         TIME     CMD   4 S root      15204     1    15204  15204 0 80  0   - 90802     -      113652   4  Sep25 ?           00:15:28 /usr/bin/cfmman -p /var/pfe -o -c /usr/conf/cfmman-cfg-active.xml This issue affects Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016:

  • from 23.2R1-EVO before 23.2R2-S4-EVO,
  • from 23.4 before 23.4R2-S4-EVO,
  • from 24.2 before 24.2R2-EVO,
  • from 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO.

This issue does not affect Junos OS Evolved on PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, PTX10016 before 23.2R1-EVO.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use