Juniper Networks has released a fix for the Junos OS vulnerability that Mandiant researchers say has been exploited by a China-based espionage group.
Juniper Networks has released a patch fixing a vulnerability — which has seen reported exploitation in China-linked espionage attacks — affecting Junos OS routers.
In an advisory, Juniper urged customers to implement the fixes and cited the report about “malicious exploitation” of the flaw (which is tracked at CVE-2025-21590).
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
CRN has reached out to Juniper for further comment.
What follows are five things to know about the China-linked Juniper router attacks.
Espionage Campaign
In a post Wednesday, Mandiant researchers disclosed details on an espionage campaign by a “China-nexus” threat group targeting Juniper routers. The campaign has come to include the latest attacks exploiting the newly discovered Junos OS vulnerability, according to the researchers at Google Cloud-owned Mandiant.
The researchers said in the post that they had initially discovered the threat actor exploiting Junos OS routers starting in mid-2024.
The attackers were found to have “deployed custom backdoors on Juniper Networks’ Junos OS routers,” the researchers wrote. “Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886.”
‘Highly Adept’ Attackers
Mandiant had previously disclosed findings on UNC3886 in June 2024, including tactics around abuse of legitimate credentials.
The researchers said in the post Wednesday that the espionage group has shown a focus on “maintaining long-term access to victim networks” as well as a “deep understanding of the underlying technology of the appliances being targeted.”
Overall, UNC3886 is a “highly adept China-nexus cyber espionage group that has historically targeted network devices and virtualization technologies with zero-day exploits,” the researchers wrote.
Targets have mainly included organizations in the defense, technology and telecommunication industries, both in U.S. as well as Asia, according to the Mandiant researchers.
Vulnerability Discovery
The medium-severity vulnerability in Junos OS (CVE-2025-21590) was discovered and reported by an Amazon security engineer, Matteo Memelli, according to Juniper.
The vulnerability “allows a local attacker with high privileges to compromise the integrity of the device,” Juniper said in its advisory.
In the Mandiant post, researchers disclosed that UNC3886 is known to have exploited the Junos OS vulnerability.
Patch Released
In the advisory Wednesday, Juniper released emergency “out-of-cycle” security fixes in connection with the vulnerability.
“At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT,” the company said.
Customers are “encouraged to upgrade to a fixed release,” Juniper said.
‘Active’ Exploitation Confirmed
In an advisory Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the Junos OS vulnerability has seen exploitation in attacks.
CISA said it has added the flaw to its catalog of exploited vulnerabilities, “based on evidence of active exploitation.”
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the agency said, adding that it “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities.”
