CVE-2025-60003 is a buffer over-read vulnerability classified under CWE-126, found in the routing protocol daemon (rpd) component of Juniper Networks Junos OS and Junos OS Evolved. The flaw arises when the affected device receives a Border Gateway Protocol (BGP) update containing a specific set of optional transitive attributes over an established peering session. If one or both BGP peers are non-4-byte-AS capable—determined by the advertised capabilities during session establishment—and the device attempts to advertise this information to another peer, the rpd process encounters a buffer over-read condition. This causes the daemon to crash and subsequently restart, resulting in a denial-of-service (DoS) condition that disrupts routing functionality. The vulnerability affects all Junos OS versions before 22.4R3-S8, certain 23.x, 24.x versions, and their Junos OS Evolved counterparts prior to specified patch releases. The default configuration of Junos OS is 4-byte-AS capable unless explicitly disabled, which means this vulnerability is triggered only in environments where disable-4byte-as is configured or peers are non-4-byte-AS capable. The attack vector is network-based and requires no authentication or user interaction, making it relatively easy to exploit if an attacker can send malicious BGP updates. Although no known exploits are currently reported in the wild, the potential for disruption in critical network infrastructure is significant given the role of BGP in internet routing. The CVSS v3.1 score of 7.5 reflects high severity due to the ease of exploitation and impact on availability without compromising confidentiality or integrity.

For European organizations, the primary impact of CVE-2025-60003 is the potential disruption of network routing services due to the forced crash and restart of the rpd process on Juniper devices. This can lead to temporary loss of connectivity, routing instability, and degraded network performance, affecting enterprise networks, internet service providers (ISPs), and data centers relying on Juniper routers for BGP routing. Critical infrastructure operators, cloud service providers, and telecommunications companies in Europe that use Junos OS in their backbone or edge routing infrastructure are particularly vulnerable. The disruption could affect business continuity, cause service outages, and impact dependent services such as cloud applications, VoIP, and financial transactions. Additionally, the vulnerability could be leveraged as part of a larger distributed denial-of-service (DDoS) campaign targeting network infrastructure. The requirement for non-4-byte-AS capable peers limits the scope somewhat, but mixed AS environments are common in complex networks, increasing the risk. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

European organizations should prioritize upgrading affected Junos OS and Junos OS Evolved devices to the patched versions listed: 22.4R3-S8 or later, 23.2R2-S5 or later, 23.4R2-S6 or later, 24.2R2-S2 or later, and 24.4R2 or later. Network administrators should audit BGP configurations to identify and document peers that are non-4-byte-AS capable by using the command 'show bgp neighbor <IP address> | match "4 byte AS"'. Where feasible, reconfigure BGP peers to enable 4-byte-AS capability to reduce exposure. Implement strict BGP session filtering and validation to block malformed or suspicious BGP updates from untrusted peers. Employ route validation mechanisms such as RPKI to ensure the authenticity of BGP announcements. Monitor rpd process stability and BGP session health closely for signs of crashes or restarts. Consider deploying network segmentation and redundancy to isolate vulnerable devices and maintain routing continuity during potential outages. Engage with Juniper support for guidance on interim mitigations if immediate patching is not possible. Maintain up-to-date threat intelligence to detect any emerging exploits targeting this vulnerability.