CVE-2025-60006 is a medium-severity OS command injection vulnerability identified in Juniper Networks Junos OS Evolved CLI. The vulnerability stems from improper neutralization of special elements in commands processed by underlying scripts. When an attacker with limited privileges executes crafted CLI commands, these scripts may inadvertently execute injected shell commands. This can lead to unauthorized command execution and privilege escalation beyond the attacker's assigned permissions. The affected versions include Junos OS Evolved 24.2 before 24.2R2-S2-EVO and 24.4 before 24.4R2-EVO; versions earlier than 24.2R1-EVO are not affected. The vulnerability requires local access with some privileges (AV:L, PR:L) but no user interaction (UI:N). The CVSS 3.1 vector (5.3) reflects a medium impact on confidentiality, integrity, and availability due to potential unauthorized command execution. No public exploits have been reported yet. The root cause is insufficient input validation and sanitization in CLI command processing scripts, allowing injection of shell commands. This vulnerability could be leveraged by attackers to perform unauthorized operations, potentially disrupting network device functionality or exfiltrating sensitive information. Juniper has released fixed versions 24.2R2-S2-EVO and 24.4R2-EVO to address this issue.

For European organizations, especially those operating critical network infrastructure such as ISPs, telecom providers, and large enterprises relying on Juniper Junos OS Evolved, this vulnerability poses a risk of unauthorized command execution and privilege escalation. Exploitation could lead to disruption of network services, unauthorized configuration changes, or data leakage. Given the medium CVSS score, the impact is moderate but significant in environments where network device integrity and availability are critical. The requirement for local access and some privileges limits remote exploitation but insider threats or compromised accounts could leverage this vulnerability. The potential impact on confidentiality, integrity, and availability of network devices could cascade to broader organizational risks including service outages and regulatory compliance issues under GDPR if customer data is affected.

European organizations should immediately assess their Junos OS Evolved deployments to identify affected versions (24.2 before 24.2R2-S2-EVO and 24.4 before 24.4R2-EVO). The primary mitigation is to upgrade to the fixed versions 24.2R2-S2-EVO or 24.4R2-EVO provided by Juniper. Until patches are applied, restrict CLI access strictly to trusted administrators using network segmentation, strong authentication methods (e.g., multi-factor authentication), and monitoring of CLI command usage for suspicious activity. Implement strict role-based access controls to minimize privileges granted to users. Employ network-level controls to limit local access to network devices, such as VPNs with strong endpoint security and limiting physical access to devices. Regularly audit device configurations and logs to detect anomalous commands or privilege escalations. Additionally, consider deploying host-based intrusion detection on management stations to detect attempts to exploit this vulnerability.