CVE-2025-30644 is a critical heap-based buffer overflow vulnerability identified in the flexible PIC concentrator (FPC) of Juniper Networks Junos OS, impacting a broad range of EX and QFX series switches including EX2300 through EX4650-48Y and QFX5k series. The vulnerability arises from improper handling of DHCP packets, specifically crafted to exploit the heap overflow condition. When an attacker sends a malicious DHCP packet, the FPC component can crash and restart, causing a Denial of Service (DoS) condition. This DoS can be sustained if the attacker continues sending the crafted packets. Additionally, under a rare timing scenario involving DHCP Option 82, memory corruption may occur, which can lead to more severe consequences such as remote code execution (RCE) within the FPC. Successful exploitation of RCE would grant an attacker complete control over the vulnerable FPC component, potentially allowing manipulation of packet forwarding and other critical network functions. The vulnerability affects multiple Junos OS versions before 21.4R3-S9, 22.2 before 22.2R3-S5, 22.4 before 22.4R3-S5, 23.2 before 23.2R2-S3, 23.4 before 23.4R2-S3, and 24.2 before 24.2R2. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector (AV:A), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits have been reported in the wild yet, but the potential for remote code execution elevates the risk profile significantly. Juniper Networks has published advisories and patches for affected versions, though patch links were not provided in the source data. This vulnerability is particularly concerning for organizations relying on Juniper EX and QFX series switches in their network infrastructure, as exploitation could disrupt network operations and compromise device integrity.

The impact of CVE-2025-30644 is significant for organizations using affected Juniper Networks switches, as it can cause sustained Denial of Service (DoS) conditions by crashing the flexible PIC concentrator (FPC), disrupting network availability and potentially causing outages. More critically, under certain conditions, the vulnerability may allow remote code execution (RCE) on the FPC, granting attackers full control over this critical network component. This could lead to manipulation of network traffic, interception or modification of data, and persistent compromise of network infrastructure. The high severity score reflects the broad impact on confidentiality, integrity, and availability. Organizations in sectors with high dependency on network uptime and security—such as telecommunications, finance, government, and large enterprises—face elevated risks. The requirement for network access and high attack complexity somewhat limits the ease of exploitation, but the potential consequences warrant urgent attention. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

1. Apply Juniper Networks’ security patches and updates for Junos OS versions affected by CVE-2025-30644 as soon as they become available. Regularly monitor Juniper’s security advisories for updates. 2. If immediate patching is not feasible, implement network-level controls to restrict or filter DHCP traffic to trusted sources only, minimizing exposure to crafted DHCP packets. 3. Disable DHCP Option 82 if it is not required in your network environment, as its enablement is linked to increased risk of memory corruption exploitation. 4. Employ network segmentation and access control lists (ACLs) to limit access to management and control plane interfaces of affected devices, reducing the attack surface. 5. Monitor network devices for unusual crashes, restarts, or anomalous DHCP traffic patterns that could indicate exploitation attempts. 6. Conduct regular security assessments and penetration testing focused on network infrastructure to identify potential weaknesses. 7. Maintain comprehensive backups and incident response plans to quickly recover from potential DoS or compromise events. 8. Educate network operations teams about this vulnerability and ensure rapid response procedures are in place.