CVE-2025-59960 is an improper check for unusual or exceptional conditions vulnerability (CWE-754) found in the DHCP relay agent (jdhcpd) component of Juniper Networks Junos OS and Junos OS Evolved. The vulnerability arises because the DHCP relay agent incorrectly forwards DHCP DISCOVER messages containing Option 82 information in 'forward-only' mode without dropping them when it should, unless the 'trust-option82' configuration is enabled. Option 82 is used by DHCP relay agents to insert circuit identification and remote ID information, which helps DHCP servers assign IP addresses appropriately. Due to this improper handling, a malicious DHCP client located in one subnet can send crafted DHCP DISCOVER packets that cause the DHCP server to allocate IP addresses from other subnets' pools. This leads to exhaustion of the DHCP address pool on the downstream DHCP server, resulting in a denial of service condition where legitimate clients cannot obtain IP addresses. The vulnerability affects a wide range of Junos OS versions, including all versions before 21.2R3-S10, certain versions from 21.4 through 25.2, and their corresponding Junos OS Evolved versions. The CVSS 3.1 base score is 7.4, reflecting a high severity due to the ability to cause availability impact without requiring authentication or user interaction, though the attack requires network access to the DHCP relay. No public exploits have been reported yet, but the vulnerability poses a significant risk to network availability in environments using vulnerable Juniper devices as DHCP relay agents.

For European organizations, this vulnerability can disrupt critical network services by causing DHCP address pool exhaustion, leading to denial of service for end users and devices relying on DHCP for IP address assignment. This can affect enterprise networks, data centers, and service providers using Juniper routers and switches running vulnerable Junos OS versions. The impact is particularly severe in large-scale or segmented networks where DHCP relay agents manage multiple subnets, as an attacker in one subnet can impact others. This can cause operational downtime, loss of productivity, and potential cascading failures in dependent services. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure, which rely heavily on Juniper networking equipment, may face increased risk. Additionally, the attack does not require authentication, making it easier for internal or compromised attackers to exploit. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge.

European organizations should immediately assess their Juniper device inventory to identify affected Junos OS and Junos OS Evolved versions. Applying the vendor-provided patches and updates to fixed versions (e.g., 21.2R3-S10 or later) is the most effective mitigation. Until patches are applied, network administrators should consider disabling DHCP relay agents where not necessary or restricting DHCP relay functionality to trusted network segments. Configuring the DHCP relay agent to enable 'trust-option82' only when appropriate and ensuring strict validation of DHCP packets can reduce risk. Implementing network segmentation and access control lists (ACLs) to limit DHCP traffic from untrusted subnets can prevent malicious clients from exploiting this vulnerability. Monitoring DHCP server logs for unusual address allocation patterns and setting alerts for rapid address pool depletion can provide early detection. Additionally, organizations should review their incident response plans to handle potential DHCP service disruptions. Coordination with Juniper support for guidance and updates is recommended.