CVE-2025-52960 is a classic buffer overflow vulnerability (CWE-120) found in the Session Initialization Protocol (SIP) Application Layer Gateway (ALG) component of Juniper Networks Junos OS on MX and SRX Series routers and firewalls. The vulnerability arises from a buffer copy operation that does not properly check the size of input data, allowing an attacker to send specially crafted SIP packets that cause the flowd process to crash under conditions of high memory utilization. Flowd is a critical process responsible for flow management and state tracking in Junos OS. When flowd crashes, it causes a denial of service (DoS) by disrupting normal traffic flow and device operation. Although the system automatically recovers, continuous triggering of this condition can sustain the DoS, severely impacting network availability. The attacker does not require authentication or user interaction and can launch the attack remotely over the network. However, the attacker cannot deterministically exploit the vulnerability because the high memory utilization condition is outside their control. The vulnerability affects all Junos OS versions before 22.4R3-S7, from 23.2 before 23.2R2-S4, from 23.4 before 23.4R2-S5, and from 24.2 before 24.2R2. There are no known public exploits or active exploitation campaigns at this time. The CVSS v3.1 base score is 5.9, reflecting a medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability. This vulnerability is significant for organizations relying on Juniper MX and SRX devices for critical network infrastructure, especially those handling SIP traffic.

For European organizations, the primary impact of CVE-2025-52960 is the potential for denial of service on critical Juniper MX and SRX network devices that handle SIP traffic. This can lead to network outages, degraded service quality, and disruption of voice and video communications reliant on SIP, affecting business operations and customer experience. The automatic recovery of the flowd process mitigates prolonged downtime but does not eliminate the risk of sustained DoS if the attack is continuously applied during high memory utilization periods. Organizations in telecommunications, finance, government, and enterprises with heavy SIP usage are particularly at risk. The inability to deterministically trigger the vulnerability reduces the likelihood of widespread exploitation but does not eliminate the threat. Disruptions in network availability can also impact compliance with European regulations on service continuity and data protection. Additionally, the attack requires no authentication, increasing exposure to external attackers scanning for vulnerable devices.

European organizations should prioritize upgrading Junos OS on affected MX and SRX devices to the fixed versions: 22.4R3-S7 or later, 23.2R2-S4 or later, 23.4R2-S5 or later, and 24.2R2 or later. Until patches are applied, network administrators should implement strict filtering of SIP traffic at network perimeters to block malformed or suspicious SIP packets that could trigger the vulnerability. Monitoring memory utilization and flowd process stability can provide early warning of attempted exploitation. Rate limiting SIP traffic and deploying anomaly detection systems focused on SIP protocol anomalies can reduce attack surface. Network segmentation to isolate critical Juniper devices from untrusted networks will limit exposure. Regularly reviewing device logs for flowd crashes and unusual SIP traffic patterns is recommended. Coordination with Juniper support for guidance and updates is advised. Finally, ensure that incident response plans include procedures for rapid recovery from flowd crashes and DoS conditions.