Earlier this year, Black Lotus Labs researchers said that unknown threat actors have been targeting Juniper edge devices (many acting as VPN gateways) with J-magic malware that opens a reverse shell if it detects a "magic packet" in the network traffic. This medium severity flaw (CVE-2025-21590) was reported by Amazon security engineer Matteo Memelli and is caused by an improper isolation or compartmentalization weakness. Successful exploitation lets local attackers with high privileges execute arbitrary code on vulnerable routers to compromise the devices' integrity. CISA also added CVE-2025-21590 to its catalog of actively exploited vulnerabilities on Thursday, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Juniper devices by April 3rd as mandated by Binding Operational Directive (BOD) 22-01. Juniper's advisory was released the same day as a Mandiant report revealing that Chinese hackers have exploited the security flaw since 2024 to backdoor vulnerable Juniper routers that reached end-of-life (EoL). "In mid 2024, Mandiant discovered threat actors deployed custom backdoors operating on Juniper Networks' Junos OS routers," the cybersecurity company explained. Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. Another Chinese-nexus threat actor (tracked as UNC4841) deployed this malware more than two years ago on Barracuda Email Security Gateways to breach the email servers of U.S. government agencies. The vulnerability impacts NFX-Series, Virtual SRX, SRX-Series Branch, SRX-Series HE, EX-Series, QFX-Series, ACX, and MX-Series devices and was resolved in 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 13 Mar 2025 16:40:16 +0000