CVE-2025-52960 is a classic buffer overflow vulnerability (CWE-120) found in the SIP ALG (Application Layer Gateway) component of Juniper Networks Junos OS, specifically on MX Series and SRX Series devices. The vulnerability arises from improper handling of SIP packets where the size of input data is not properly checked before copying into a buffer. When the device is under high memory utilization, receiving specific crafted SIP packets causes the flowd/mspmand processes to crash due to memory corruption. These processes are critical for session and flow management in Junos OS. Although the system automatically recovers from the crash, repeated triggering can cause a sustained denial of service, disrupting network traffic and service availability. The attacker does not require authentication or user interaction and can launch the attack remotely over the network. However, the attack complexity is high because exploitation depends on the device being in a high memory utilization state, which the attacker cannot reliably induce. The vulnerability affects multiple Junos OS versions: all versions before 22.4R3-S7, from 23.2 before 23.2R2-S4, from 23.4 before 23.4R2-S5, and from 24.2 before 24.2R2. No public exploits have been reported yet, but the vulnerability is publicly disclosed and assigned a CVSS v3.1 score of 5.9, indicating a medium severity level. Juniper Networks has released patches in the specified versions to address this issue.

For European organizations, this vulnerability can impact critical network infrastructure that relies on Juniper MX and SRX Series devices running vulnerable Junos OS versions. These devices are commonly used in enterprise edge routing, firewalling, and session management roles. A successful attack can cause denial of service by crashing key processes, leading to network outages or degraded service availability. This can disrupt business operations, especially for service providers, financial institutions, and large enterprises with high dependency on continuous network uptime. The inability to deterministically exploit the vulnerability reduces the risk somewhat, but the potential for sustained DoS under high memory conditions remains a concern. Additionally, the automatic recovery does not prevent repeated crashes if the attack persists, potentially causing intermittent service instability. Confidentiality and integrity are not impacted, but availability degradation can affect critical communications and services. Organizations with high network traffic and memory utilization are at greater risk. The lack of known exploits in the wild currently limits immediate threat but patching is recommended to prevent future exploitation.

European organizations should prioritize patching affected Junos OS devices to versions 22.4R3-S7 or later, 23.2R2-S4 or later, 23.4R2-S5 or later, and 24.2R2 or later as applicable. Network administrators should monitor memory utilization on MX and SRX devices to identify periods of high load that could increase vulnerability exposure. Implementing rate limiting or filtering of SIP traffic at network edges can reduce the likelihood of receiving malicious SIP packets. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect anomalous SIP packet patterns may help detect exploitation attempts. Network segmentation to isolate critical Junos OS devices from untrusted networks can reduce attack surface. Regularly reviewing device logs for flowd/mspmand crashes or SIP-related anomalies can provide early warning signs. Organizations should also engage with Juniper support for any additional recommended mitigations or hotfixes. Finally, maintaining an up-to-date asset inventory of Junos OS devices and their versions will aid in targeted remediation efforts.