Which Junos OS versions are affected by BlastRADIUS?

All versions before 21.4R3-S11, versions from 22.2 before 22.2R3-S7, from 22.4 before 22.4R3-S7, from 23.2 before 23.2R2-S4, from 23.4 before 23.4R2-S5, from 24.2 before 24.2R2-S1, and from 24.4 before 24.4R1-S3, 24.4R2.

Which Junos OS Evolved versions are vulnerable?

Junos OS Evolved versions from 23.4-EVO before 23.4R2-S5-EVO, from 24.2-EVO before 24.2R2-S1-EVO, and from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO are affected by the BlastRADIUS vulnerability.

Are all Juniper systems vulnerable to BlastRADIUS?

No, only systems configured for RADIUS-based subscriber authentication are vulnerable. This includes systems using configurations with [access radius-server] or [access profile radius-server].

What patches has Juniper released for BlastRADIUS?

Juniper has released fixed versions including Junos OS 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1 and all subsequent releases. For Junos OS Evolved: 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.1R1-EVO and subsequent releases.

How serious is the BlastRADIUS vulnerability?

BlastRADIUS is a critical vulnerability with a CVSS score of 9.1, making it a high-priority security issue that allows attackers to bypass authentication and gain unauthorized access to network devices.

Advisory

Juniper releases patches for Junos OS and Junos OS Evolved to fix "BlastRADIUS" RADIUS protocol flaw

Q: What is the BlastRADIUS vulnerability in Juniper Networks products?

BlastRADIUS is a critical vulnerability tracked as CVE-2024-3596 (CVSS score 9.1) that affects the underlying RADIUS protocol in all versions of Junos OS and specific versions of Junos OS Evolved. It allows attackers to bypass authentication and gain unauthorized access to network devices using RADIUS-based authentication.

Q: What causes the BlastRADIUS vulnerability?

The vulnerability is caused by improper validation of integrity check values and improper enforcement of message integrity during transmission in RADIUS communication channels.

Q: What new security feature did Juniper introduce to address BlastRADIUS?

Juniper introduced a new configuration flag called 'message-authenticator' within the radius-server configuration, which is enabled by default and enforces checking of the Message-Authenticator attribute in all Access-Response messages from RADIUS servers.

Q: Is there a workaround for organizations that cannot immediately patch?

Yes, for organizations unable to immediately update their systems, Juniper recommends enabling RADIUS over TLS (RADSEC) to encrypt RADIUS traffic using TLS with the configuration [access radsec destination address x.x.x.x].

Q: What should organizations with affected Juniper systems do?

Organizations should prioritize updating to the latest fixed software releases that include the new message-authenticator functionality. For systems that cannot be immediately updated, they should enable RADIUS over TLS (RADSEC) to encrypt RADIUS traffic as a temporary mitigation.

published: July 11, 2025

Take action: Review your Juniper device configuration. If you have Juniper devices using RADIUS authentication (configurations with [access radius-server]), update to the latest patched Junos OS or Junos OS Evolved versions to fix the BlastRADIUS flaw. If you can't patch, enable RADIUS over TLS (RADSEC) as a temporary workaround to encrypt RADIUS traffic and prevent exploitation of BlastRadius.

Learn More

Juniper Networks has released patches to fix a critical vulnerability in the underlying RADIUS protocol that affects all versions of Junos OS and specific versions of Junos OS Evolved, attackers to bypass authentication and gain unauthorized access to network devices using RADIUS-based authetication.

The vulnerability is known as "BlastRADIUS" and tracked as CVE-2024-3596 (CVSS score 9.1), it's caused by improper validation of integrity check values and improper enforcement of message integrity during transmission in RADIUS communication channels.

Affected versions of Junos OS

All versions before 21.4R3-S11
From 22.2 before 22.2R3-S7
From 22.4 before 22.4R3-S7
From 23.2 before 23.2R2-S4
From 23.4 before 23.4R2-S5
From 24.2 before 24.2R2-S1
From 24.4 before 24.4R1-S3, 24.4R2

Affected versions of Junos OS Evolved:

From 23.4-EVO before 23.4R2-S5-EVO
From 24.2-EVO before 24.2R2-S1-EVO
From 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO

NOTE: Only systems configured for RADIUS-based subscriber authentication are vulnerable to this issue using configurations with [access radius-server] or [access profile <name> radius-server].

Juniper Networks has released patched versions and has introduced a new configuration flag called 'message-authenticator' within the radius-server configuration, which is enabled by default and enforces checking of the Message-Authenticator attribute in all Access-Response messages from RADIUS servers.

Fixed Software Releases:

Junos OS: 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S5, 24.2R2-S1, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases
Junos OS Evolved: 23.4R2-S5-EVO, 24.2R2-S1-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.1R1-EVO, and all subsequent releases

For organizations unable to immediately update their systems, Juniper recommends enabling RADIUS over TLS (RADSEC) to encrypt RADIUS traffic using TLS: [access radsec destination <ID> address x.x.x.x].

Organizations using affected Juniper systems should prioritize updating to the latest fixed software releases that include the new message-authenticator functionality. For systems that cannot be immediately updated, enable RADIUS over TLS (RADSEC) to encrypt RADIUS traffic.

Juniper releases patches for Junos OS and Junos OS Evolved to fix "BlastRADIUS" RADIUS protocol flaw

Read More
Zero Day Initiative reports 13 vulnerabilities in Ivanti …
Cisco reports critical flaw in Cisco Secure Email …
Palo Alto confirms PAN-OS vulnerability CVE-2025-0108 actively exploited
Fortinet patches actively exploited FortiWeb vulnerability
FCX routers vulnerable to actively exploited flaw by …