CVE Alert: CVE-2025-59964 – Juniper Networks – Junos OS

Risk verdict

High risk to availability for affected SRX4700 deployments; network-based DoS without authentication is plausible, and patching should be prioritised in change windows.

Why this matters

The issue can crash the PFE line card when forwarding-options sampling is enabled, forcing an RE restart and prolonged service disruption. In business terms, this risks network uptime, business continuity, and meeting SLAs for critical edge data paths.

Most likely attack path

An unauthenticated, remote attacker can trigger the DoS by sending traffic that the PFE processes to the RE, with no user interaction required. Precondition is that sampling is enabled; exploitation is network-level and does not require credentials, suggesting potential repeatable disruption within reachable network segments.

Who is most exposed

Devices running Junos OS on SRX4700 in data-centre or service-provider edge roles, especially where sampling is configured, are most at risk. Environments still on older 24.4 releases (pre-R1-S3, pre-R2) are the primary concern.

Detection ideas

• FPC crashes and RE restarts logged in system logs
• Sudden traffic loss or intermittent connectivity to services powered by the SRX4700
• Elevated CPU or FPC-specific error messages
• Unauthorised or unexpected RE reachability changes after traffic surges
• Verification of sampling configuration state during baseline checks

Mitigation and prioritisation

• Upgrade to fixed releases: 24.4R1-S3, 24.4R2, 25.2R1 or later
• If cannot patch immediately, temporarily disable forwarding-options sampling
• Restrict traffic from PFE line cards to the RE during remediation
• Validate the fix in a test environment before broad rollout
• Coordinate change windows and monitor post-upgrade stability; treat as priority 1 if KEV/EPSS indicators become available