CVE-2025-30645 is a vulnerability identified in the flow daemon (flowd) component of Juniper Networks Junos OS running on SRX Series devices. The flaw is a NULL Pointer Dereference (CWE-476) that occurs when specific, valid control traffic is sent out of a Dual-Stack Lite (DS-Lite) tunnel. This causes the flowd process to crash due to a segmentation fault, resulting in a Denial of Service (DoS) condition. The vulnerability affects multiple versions of Junos OS on SRX platforms, specifically all versions before 21.2R3-S9, and certain builds from 21.4, 22.2, 22.4, 23.2, and 23.4 branches before their respective patch releases. The impact is a network outage until the flowd process restarts, and continuous triggering of the specific control traffic can sustain the DoS condition. The vulnerability does not require authentication or user interaction, but it requires the attacker to send crafted control traffic through the DS-Lite tunnel. No known exploits are currently reported in the wild, and no official patches are linked yet. The issue is rooted in improper handling of control traffic within the DS-Lite tunneling mechanism, which is used to facilitate IPv4 connectivity over IPv6 networks. The flowd process is critical for managing network flows on SRX devices, so its crash leads to disruption of network traffic and potential loss of availability for services relying on these devices.

For European organizations, especially those relying on Juniper SRX Series firewalls and routers for network security and traffic management, this vulnerability poses a significant risk of network disruption. The DoS condition can lead to temporary loss of connectivity, impacting business operations, critical infrastructure, and service availability. Organizations using DS-Lite tunnels to support IPv4 over IPv6 transition mechanisms are particularly vulnerable. This can affect ISPs, telecom providers, and enterprises with dual-stack deployments. The sustained DoS could be exploited by attackers to disrupt services during critical periods or as part of a larger attack campaign. Given the reliance on Juniper SRX devices in many European telecom networks and data centers, the vulnerability could affect a broad range of sectors including finance, government, healthcare, and industrial control systems. The inability to process control traffic correctly could also complicate incident response and network troubleshooting during an attack or failure event.

1. Immediate mitigation should include monitoring network traffic for unusual or repeated DS-Lite control traffic patterns that could trigger the vulnerability. 2. Implement network segmentation and filtering to restrict untrusted sources from sending DS-Lite control traffic to SRX devices. 3. Where possible, temporarily disable DS-Lite tunneling if it is not critical to operations until patches are available. 4. Apply strict access control lists (ACLs) on interfaces facing untrusted networks to limit exposure. 5. Prepare for rapid restart procedures of the flowd process to minimize downtime if a crash occurs. 6. Engage with Juniper Networks support to obtain early access to patches or workarounds as they become available. 7. Conduct thorough testing of updated Junos OS versions in a controlled environment before deployment. 8. Maintain up-to-date backups of device configurations to enable quick recovery. 9. Enhance network monitoring and alerting specifically for flowd process crashes and related anomalies. 10. Educate network operations teams about this vulnerability and response procedures to reduce mean time to recovery.