CVE-2025-59958 is a vulnerability classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) affecting the Packet Forwarding Engine (PFE) in Juniper Networks Junos OS Evolved running on PTX Series routers. The flaw occurs when an output firewall filter is configured with one or more terms where the action is set to 'reject'. Instead of properly dropping these packets, the PFE erroneously forwards them to the Routing Engine (RE) for further processing. The RE has limited resources, and processing these unexpected packets can lead to resource exhaustion, impacting router availability. Additionally, the RE’s responses to the source of this traffic may inadvertently disclose confidential information about the device, thus impacting confidentiality. This issue specifically affects output filters applied to WAN or revenue interfaces, excluding management or loopback interfaces and input filters. The vulnerability is exploitable remotely by unauthenticated attackers without requiring user interaction, increasing its risk profile. It affects all Junos OS Evolved versions prior to 22.4R3-EVO and 23.2 versions prior to 23.2R2-EVO on PTX Series hardware. No public exploits or active exploitation have been reported yet. The CVSS v3.1 base score is 6.5, reflecting medium severity due to network attack vector, no privileges required, no user interaction, limited confidentiality impact, and availability impact through resource exhaustion.

For European organizations, this vulnerability poses a risk primarily to network infrastructure relying on Juniper PTX Series routers running affected Junos OS Evolved versions. The improper forwarding of rejected packets to the Routing Engine can lead to denial of service conditions by exhausting critical RE resources, potentially disrupting network availability and causing outages. Confidential information leakage through RE responses could expose sensitive device details to attackers, increasing the risk of further targeted attacks. Organizations with critical WAN or revenue interfaces using these routers are particularly vulnerable. Disruptions in core routing infrastructure can impact service providers, large enterprises, and government networks, leading to operational downtime and potential data breaches. Given the unauthenticated, remote exploitability, attackers can launch attacks from the internet without prior access, increasing the threat surface. The absence of known exploits in the wild provides a window for proactive mitigation, but the medium severity score indicates that exploitation could have meaningful operational impacts.

European organizations should immediately assess their Juniper PTX Series routers to identify if they run affected Junos OS Evolved versions prior to 22.4R3-EVO or 23.2R2-EVO. Applying vendor-supplied patches or upgrading to fixed versions is the most effective mitigation. Until patches are applied, organizations should audit firewall filter configurations, specifically output filters with 'reject' actions on WAN or revenue interfaces, and consider temporarily disabling or modifying these filters to avoid triggering the vulnerability. Network segmentation and strict ingress filtering can help limit exposure to untrusted traffic that could exploit this flaw. Monitoring router logs and network traffic for unusual RE processing or unexpected responses may help detect exploitation attempts. Additionally, implementing rate limiting on traffic matching reject terms could reduce the risk of resource exhaustion. Coordination with Juniper support for guidance and updates is recommended. Finally, ensure robust incident response plans are in place to quickly address any signs of exploitation.