CVE-2025-59967 is a NULL Pointer Dereference vulnerability classified under CWE-476 affecting the PFE management daemon (evo-pfemand) component of Juniper Networks Junos OS Evolved on ACX7024, ACX7024X, ACX7100-32C, ACX7100-48L, ACX7348, and ACX7509 devices. The flaw arises when the daemon processes specific valid multicast traffic received on any Layer 3 interface, causing a NULL pointer dereference that crashes the evo-pfemand process. Upon crashing, the process restarts automatically, but continuous receipt of the crafted multicast packets results in a sustained Denial of Service (DoS) condition. This vulnerability affects both IPv4 and IPv6 multicast traffic and impacts Junos OS Evolved versions 23.2R2-EVO (before 23.2R2-S4-EVO) and 23.4R1-EVO (before 23.4R2-EVO). The vulnerability does not require any authentication or user interaction but requires the attacker to be adjacent to the target device, meaning they must be on the same Layer 2 network segment or have network access to the Layer 3 interface. The vulnerability can disrupt network availability by causing repeated crashes of a critical forwarding engine management process, potentially impacting routing and packet forwarding on affected devices. No public exploits or active exploitation have been reported to date. Juniper has released patches in versions 23.2R2-S4-EVO and 23.4R2-EVO to address this issue.

For European organizations, this vulnerability poses a risk primarily to network infrastructure relying on Juniper ACX series devices running the affected Junos OS Evolved versions. The Denial of Service caused by repeated crashes of the evo-pfemand process can disrupt network availability, impacting critical services and communications. This is especially significant for ISPs, telecom operators, and large enterprises that use these devices for routing and forwarding in their networks. The requirement for adjacency limits remote exploitation but does not eliminate risk in environments where attackers can gain Layer 2 or Layer 3 access, such as compromised internal networks or poorly segmented environments. Disruption of multicast traffic handling can also affect services relying on multicast, including IPTV, video conferencing, and certain enterprise applications. The lack of confidentiality or integrity impact reduces the risk of data breaches but the availability impact can cause operational downtime and service degradation. Given the widespread use of Juniper devices in European telecom and enterprise networks, the potential for network outages and service interruptions is a critical concern.

European organizations should prioritize upgrading affected Juniper Junos OS Evolved devices to the fixed versions 23.2R2-S4-EVO or 23.4R2-EVO as soon as possible. Until patches are applied, network administrators should implement strict network segmentation and access controls to limit adjacency to critical network devices, reducing the attack surface. Monitoring multicast traffic patterns for anomalies or spikes in multicast packets may help detect exploitation attempts. Deploying network intrusion detection systems (NIDS) with signatures or heuristics to identify malformed or suspicious multicast traffic targeting the evo-pfemand process can provide early warning. Additionally, disabling unnecessary multicast routing or filtering multicast traffic at network boundaries can reduce exposure. Regularly auditing device configurations and firmware versions will ensure timely identification of vulnerable devices. Coordination with Juniper support for any interim mitigation advice or workarounds is recommended. Finally, maintaining robust incident response plans to quickly address potential DoS incidents will minimize operational impact.