CVE-2025-52953 is a medium severity vulnerability identified in the routing protocol daemon (rpd) component of Juniper Networks Junos OS and Junos OS Evolved. The vulnerability is classified as CWE-440, which refers to an Expected Behavior Violation. Specifically, an unauthenticated attacker who is adjacent on the network can send a specially crafted valid BGP UPDATE packet to a vulnerable Junos OS device. This packet triggers a BGP session reset, causing a Denial of Service (DoS) condition. The vulnerability affects both iBGP and eBGP sessions and impacts IPv4 and IPv6 routing protocols. The issue arises because the rpd process does not correctly handle certain BGP UPDATE packets, violating expected protocol behavior and leading to session disruption. Continuous exploitation by repeatedly sending such packets can sustain the DoS condition, effectively disrupting network routing and connectivity. The affected versions span multiple releases of Junos OS and Junos OS Evolved, including all versions before 21.2R3-S9 and various subsequent versions up to 24.4R2-EVO, indicating a broad impact across many currently deployed Juniper devices. The CVSS v3.1 base score is 6.5, reflecting a medium severity level with an attack vector of adjacent network access, low attack complexity, no privileges or user interaction required, and impact limited to availability (no confidentiality or integrity impact). No known exploits are currently reported in the wild, but the vulnerability could be leveraged by attackers with network adjacency to disrupt routing infrastructure.

For European organizations, this vulnerability poses a significant risk to network infrastructure stability, particularly for enterprises, ISPs, and data centers relying on Juniper Networks routers running vulnerable Junos OS versions. Disruption of BGP sessions can lead to routing instability, loss of connectivity, and potential outages affecting critical business operations and internet services. Given the importance of BGP in managing internet and internal routing, sustained DoS conditions could degrade service availability, impacting financial institutions, government networks, telecommunications providers, and cloud service operators across Europe. The lack of confidentiality or integrity impact limits data breach risks, but availability degradation can have cascading effects on dependent services and critical infrastructure. Organizations with multi-homed networks or those using Juniper devices for border routing are particularly vulnerable. The attack requires adjacency, so exposure is higher in environments where BGP peers are reachable by untrusted or semi-trusted networks, such as internet exchange points or poorly segmented internal networks.

European organizations should prioritize upgrading Juniper devices to fixed versions as listed by Juniper Networks, ensuring deployment of patches for both Junos OS and Junos OS Evolved. Network administrators should audit BGP peer configurations to restrict adjacency to trusted and authenticated peers only, employing BGP session authentication mechanisms such as TCP MD5 signatures or TCP-AO where supported. Implement strict network segmentation and access control lists (ACLs) to limit which devices can send BGP UPDATE packets to routing devices. Monitoring and alerting on abnormal BGP session resets and unusual BGP UPDATE traffic patterns can provide early detection of exploitation attempts. Additionally, organizations should consider deploying BGP session protection features and rate limiting on BGP control plane traffic to mitigate the impact of repeated malicious packets. Regular vulnerability scanning and configuration reviews should be conducted to ensure no legacy or unsupported versions remain in production. Finally, incident response plans should include procedures for rapid remediation of routing disruptions caused by this vulnerability.