Juniper patches bug that let Chinese cyberspies backdoor routers

​Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.

This medium severity flaw (CVE-2025-21590) was reported by Amazon security engineer Matteo Memelli and is caused by an improper isolation or compartmentalization weakness. Successful exploitation lets local attackers with high privileges execute arbitrary code on vulnerable routers to compromise the devices' integrity.

"At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it's available and in the meantime take steps to mitigate this vulnerability," Juniper warned in an out-of-cycle security advisory issued on Wednesday,

"While the complete list of resolved platforms is under investigation, it is strongly recommended to mitigate the risk of exploitation by restricting shell access to trusted users only."

The vulnerability impacts NFX-Series, Virtual SRX, SRX-Series Branch, SRX-Series HE, EX-Series, QFX-Series, ACX, and MX-Series devices and was resolved in 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases.

CISA also added CVE-2025-21590 to its catalog of actively exploited vulnerabilities on Thursday, ordering Federal Civilian Executive Branch (FCEB) agencies to secure vulnerable Juniper devices by April 3rd as mandated by Binding Operational Directive (BOD) 22-01.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the U.S. cybersecurity agency said.

Exploited by Chinese cyberspies

Juniper's advisory was released the same day as a Mandiant report revealing that Chinese hackers have exploited the security flaw since 2024 to backdoor vulnerable Juniper routers that reached end-of-life (EoL).

All six backdoors deployed in this campaign had distinct C2 communication methods and used a separate set of hardcoded C2 server addresses.

"In mid 2024, Mandiant discovered threat actors deployed custom backdoors operating on Juniper Networks' Junos OS routers," the cybersecurity company explained. "Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL based backdoors operating on Juniper Networks' Junos OS routers."

UNC3886 is known for orchestrating sophisticated attacks exploiting zero-day vulnerabilities in edge networking devices and virtualization platforms.

Earlier this year, Black Lotus Labs researchers said that unknown threat actors have been targeting Juniper edge devices (many acting as VPN gateways) with J-magic malware that opens a reverse shell if it detects a "magic packet" in the network traffic.

The J-magic campaign was active between mid-2023 and at least mid-2024, and its goal was to gain long-term access to the compromised devices while evading detection.

Black Lotus Labs linked this malware with "low confidence" to the SeaSpy backdoor. Another Chinese-nexus threat actor (tracked as UNC4841) deployed this malware more than two years ago on Barracuda Email Security Gateways to breach the email servers of U.S. government agencies.