CVE-2025-21591 is a high-severity vulnerability identified in the jdhcpd daemon component of Juniper Networks Junos OS, specifically when DHCP snooping is enabled. The vulnerability is classified under CWE-805, which involves buffer access with an incorrect length value. An unauthenticated attacker located on an adjacent network segment can exploit this flaw by sending a specially crafted DHCP packet containing a malformed DHCP option. This malformed packet causes the jdhcpd daemon to crash, resulting in a Denial of Service (DoS) condition. If the attacker continuously sends such malformed packets, the DoS condition can be sustained, effectively disrupting network services reliant on Junos OS devices. The affected versions include Junos OS releases from 23.1 before 23.2R2-S3, from 23.4 before 23.4R2-S3, and from 24.2 before 24.2R2. Notably, versions prior to 23.1R1 are not affected, nor are the vSRX Series devices (which do not support DHCP snooping) or Junos OS Evolved. The vulnerability does not require any authentication or user interaction, and the attacker must be adjacent on the network, meaning they need to be on the same Layer 2 segment or have access to the broadcast domain where DHCP packets are exchanged. There are currently no known exploits in the wild or indicators of compromise associated with this vulnerability. The CVSS v3.1 base score is 7.4, reflecting a high severity primarily due to the potential for network disruption and the ease of exploitation without privileges or user interaction. The scope is changed (S:C), indicating that the impact extends beyond the vulnerable component to affect other components or systems relying on the Junos OS device's availability.

For European organizations, the impact of CVE-2025-21591 can be significant, especially for enterprises, service providers, and critical infrastructure operators that rely on Juniper Networks Junos OS devices with DHCP snooping enabled. The vulnerability enables an unauthenticated attacker to cause a DoS by crashing the DHCP daemon, potentially disrupting DHCP services and network connectivity. This can lead to loss of network availability, impacting business operations, communications, and access to critical applications. In environments where Junos OS devices serve as core or edge routers, or DHCP relay agents, the disruption could cascade, affecting multiple network segments or services. Given that DHCP snooping is often enabled as a security measure to prevent DHCP spoofing attacks, this vulnerability ironically undermines network stability when that feature is active. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing risk. Although no known exploits exist yet, the potential for automated attacks or lateral movement within compromised networks is a concern. Additionally, the sustained DoS capability could be leveraged in targeted attacks against European organizations with high availability requirements, such as financial institutions, telecommunications providers, and government agencies.

To mitigate this vulnerability, European organizations should prioritize the following actions: 1) Immediate patching: Apply the latest Junos OS updates that address this vulnerability, specifically versions 23.2R2-S3 or later for the 23.1 branch, 23.4R2-S3 or later for the 23.4 branch, and 24.2R2 or later for the 24.2 branch. 2) DHCP snooping review: Temporarily disable DHCP snooping on affected devices if patching cannot be performed immediately, understanding this may reduce protection against DHCP spoofing. 3) Network segmentation: Restrict access to Layer 2 broadcast domains where DHCP packets are exchanged, limiting the ability of unauthenticated adjacent attackers to send malicious packets. 4) Monitoring and anomaly detection: Implement network monitoring to detect unusual DHCP traffic patterns, such as malformed DHCP options or repeated DHCP daemon crashes. 5) Access control: Enforce strict physical and logical controls to prevent unauthorized devices from connecting to network segments where Junos OS devices operate. 6) Incident response readiness: Prepare to respond to potential DoS incidents by having failover or redundancy plans for critical Junos OS devices. 7) Vendor coordination: Stay informed through Juniper Networks advisories for any additional mitigations or detection signatures. These steps go beyond generic advice by focusing on immediate patching, temporary configuration changes, and network-level controls tailored to the nature of the vulnerability and its exploitation vector.