CVE-2025-59964 is a vulnerability classified under CWE-908 (Use of Uninitialized Resource) found in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS running on SRX4700 devices. The vulnerability manifests when the forwarding-options sampling feature is enabled. In this state, any network traffic destined for the Routing Engine (RE) that is processed by the PFE line card causes the Flexible PIC Concentrator (FPC) to crash and restart. This results in a Denial of Service (DoS) condition affecting the PFE line card, which can be sustained by continued receipt of such traffic. The vulnerability affects both IPv4 and IPv6 traffic. The flaw exists in Junos OS version 24.4 prior to 24.4R1-S3 and 24.4R2 releases. Exploitation requires no authentication or user interaction and can be triggered remotely over the network, making it easily exploitable. The impact is limited to availability, as confidentiality and integrity are not affected. No public exploits are currently known, but the vulnerability has a CVSS v3.1 base score of 7.5 (high severity), reflecting its potential to disrupt network operations. Juniper has not yet published patches or mitigation guidance at the time of this report.

For European organizations, especially those operating critical infrastructure, telecommunications, or large enterprise networks using Juniper SRX4700 devices, this vulnerability poses a significant risk to network availability. A successful attack can cause repeated crashes and restarts of the PFE line card, leading to sustained Denial of Service conditions that disrupt traffic forwarding and potentially degrade or halt network services. This can affect business continuity, cause service outages, and impact dependent services such as VPNs, firewalls, and routing functions. Given the vulnerability requires no authentication and can be triggered remotely, attackers can exploit it from outside the network perimeter, increasing the threat surface. The impact is particularly critical for organizations relying on Junos OS 24.4 versions before patched releases. Disruptions in network infrastructure can also have cascading effects on connected systems and services, amplifying operational risks.

1. Immediate upgrade to Junos OS versions 24.4R1-S3 or 24.4R2 or later where the vulnerability is addressed. 2. If patching is not immediately possible, disable forwarding-options sampling on SRX4700 devices to prevent triggering the vulnerability. 3. Implement network-level filtering to block or rate-limit traffic destined to the Routing Engine (RE) from untrusted sources, reducing exposure to malicious packets. 4. Monitor device logs and performance metrics for signs of FPC crashes or restarts indicative of exploitation attempts. 5. Employ network segmentation to isolate critical Juniper devices from untrusted networks and restrict access to management interfaces. 6. Engage with Juniper support for any available interim mitigation scripts or configuration recommendations. 7. Conduct regular vulnerability assessments and penetration testing focused on network infrastructure devices to detect exploitation attempts early. 8. Maintain an incident response plan tailored to network device DoS scenarios to minimize downtime.