CVE-2025-59960 is a vulnerability classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) affecting the DHCP relay functionality in Juniper Networks Junos OS and Junos OS Evolved. The DHCP relay agent is responsible for forwarding DHCP client requests across subnets, inserting Option 82 information to identify the relay point. By default, the relay inserts its own Option 82, optionally replacing any client-provided Option 82. However, when operating in 'forward-only' mode, the relay should drop DHCP DISCOVER packets containing Option 82 unless the 'trust-option82' configuration is enabled. Due to improper validation, the relay forwards these packets unmodified to the DHCP server. This flaw allows a malicious DHCP client on one subnet to send crafted DHCP DISCOVER requests that consume IP addresses from other subnets' DHCP pools, leading to exhaustion of available addresses and causing a Denial of Service (DoS) for legitimate clients. The vulnerability affects a broad range of Junos OS versions before the patched releases listed, spanning from versions prior to 21.2R3-S10 up to versions before 25.2R1-S1 and 25.2R2, including Junos OS Evolved variants. The CVSS v3.1 score is 7.4, indicating high severity with an attack vector requiring adjacent network access, low complexity, no privileges, and no user interaction. The impact is limited to availability, with no direct confidentiality or integrity compromise. No known exploits are reported in the wild yet, but the vulnerability poses a significant risk to network availability in environments relying on affected Juniper DHCP relay implementations.

For European organizations, this vulnerability can lead to significant network disruption by causing DHCP address pool exhaustion, resulting in denial of service for clients requiring IP address assignment. This can impact critical infrastructure, enterprise networks, and service providers using Juniper routers and switches running affected Junos OS versions. The disruption could affect business continuity, especially in sectors reliant on stable network connectivity such as finance, healthcare, telecommunications, and government. The ability of an attacker to cause cross-subnet DHCP exhaustion means that even clients on isolated subnets can impact other network segments, increasing the attack surface. Given the widespread use of Juniper equipment in Europe, particularly in telecommunications and large enterprises, the potential for service outages and operational impact is considerable. Additionally, the vulnerability could be leveraged as part of a broader attack to degrade network services or as a diversion for other malicious activities.

To mitigate this vulnerability, European organizations should immediately identify and inventory all Juniper devices running affected Junos OS and Junos OS Evolved versions. They should prioritize upgrading to the fixed versions as specified by Juniper Networks, ensuring to apply the latest patches that address CVE-2025-59960. Until patches are applied, network administrators should review and adjust DHCP relay configurations, specifically verifying the use of 'trust-option82' settings to ensure that DHCP DISCOVER packets with Option 82 are properly validated and dropped when necessary. Network segmentation and access controls should be enforced to limit DHCP client access to trusted subnets only, reducing the risk of malicious DHCP requests originating from unauthorized clients. Monitoring DHCP server logs and network traffic for unusual DHCP DISCOVER patterns or rapid address pool depletion can provide early detection of exploitation attempts. Implementing rate limiting on DHCP requests and employing DHCP snooping features where supported can further reduce risk. Coordination with Juniper support and following their security advisories is recommended for ongoing updates and best practices.