CVE-2025-60004 is a vulnerability classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) affecting the routing protocol daemon (rpd) in Juniper Networks Junos OS and Junos OS Evolved. The flaw arises when the rpd improperly handles certain BGP EVPN update messages received over an established BGP session, leading to a crash and restart of the rpd process. This results in a denial-of-service condition that disrupts routing functionality. The vulnerability affects both internal BGP (iBGP) and external BGP (eBGP) sessions over IPv4 and IPv6. Importantly, the presence of a BGP EVPN configuration on the device is not necessary for the vulnerability to be triggered; however, if BGP peers do not send EVPN updates, exploitation cannot occur. The affected Junos OS versions include 23.4R2-S3 through before 23.4R2-S5, 24.2R2 before 24.2R2-S1, and 24.4 versions before 24.4R1-S3 and 24.4R2. Similarly, Junos OS Evolved versions from 23.4R2-S2-EVO before 23.4R2-S5-EVO, 24.2R2-EVO before 24.2R2-S1-EVO, and 24.4-EVO before 24.4R1-S3-EVO and 24.4R2-EVO are affected. The CVSS v3.1 score of 7.5 indicates a high severity due to the network attack vector, lack of required privileges or user interaction, and a significant impact on availability. No known exploits have been reported in the wild to date. The vulnerability could be exploited by an unauthenticated attacker who can send malicious BGP EVPN update messages to cause routing daemon crashes, potentially disrupting network connectivity and causing outages in critical infrastructure relying on Juniper routing devices.

For European organizations, this vulnerability poses a significant risk to network stability and availability, particularly for enterprises, ISPs, and data centers that rely on Juniper Networks Junos OS for routing. A successful exploitation could lead to repeated crashes of the routing daemon, causing intermittent or sustained denial-of-service conditions that disrupt internal and external network communications. This can affect business continuity, critical services, and data flow across interconnected networks. The impact is heightened in environments with dense BGP peering arrangements, including large telecom providers and cloud service operators. Since the vulnerability affects both IPv4 and IPv6 BGP sessions and does not require prior authentication, the attack surface is broad. Disruptions in routing can also have cascading effects on dependent services and applications, potentially leading to financial losses and reputational damage. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

1. Upgrade affected Junos OS and Junos OS Evolved devices to the fixed versions as soon as they become available from Juniper Networks. 2. Implement strict BGP session filtering to block unexpected or unauthorized BGP EVPN update messages, especially from external peers. 3. Monitor BGP sessions for unusual EVPN update traffic patterns that could indicate exploitation attempts. 4. Use network segmentation to isolate critical routing infrastructure and limit exposure to untrusted networks. 5. Employ redundancy and failover mechanisms in routing to minimize service disruption during rpd crashes. 6. Coordinate with upstream and downstream network providers to ensure consistent filtering and protection against malicious BGP EVPN updates. 7. Regularly review and update routing policies to restrict EVPN updates only to trusted peers. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential DoS events caused by this vulnerability.