CVE-2025-60011 is classified under CWE-754, indicating an improper check for unusual or exceptional conditions within the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. The vulnerability arises when an affected device receives a specific optional, transitive BGP attribute over an established BGP session. The device erroneously modifies this attribute before forwarding it to its peers. Upon receiving the malformed attribute, peer devices typically terminate their BGP sessions with the affected device, causing routing session drops and subsequent routing churn. This chain reaction leads to network instability and availability degradation for downstream devices relying on these BGP sessions. The vulnerability affects all Junos OS and Junos OS Evolved versions before the following patched releases: 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S2, and 24.4R2 (and their EVO equivalents). The CVSS v3.1 base score is 5.8 (medium), reflecting a network attack vector with no required privileges or user interaction, and an impact limited to availability. No confidentiality or integrity impacts are noted. No public exploits have been reported to date, but the vulnerability's nature allows unauthenticated attackers to cause denial-of-service conditions by disrupting BGP routing sessions. This can have cascading effects on network stability, especially in environments heavily reliant on Juniper routing infrastructure for critical connectivity.

For European organizations, this vulnerability poses a significant risk to network availability, particularly for ISPs, large enterprises, and data centers that depend on Juniper routers for BGP routing. Disruption of BGP sessions can lead to routing instability, increased latency, packet loss, or even partial network outages. Critical infrastructure sectors such as telecommunications, finance, and government services could experience degraded service or outages, impacting business continuity and potentially violating regulatory uptime requirements. The availability impact could also affect cross-border data flows and interconnectivity between European networks, given the widespread use of BGP for internet routing. Although the vulnerability does not compromise data confidentiality or integrity, the denial-of-service potential can disrupt essential services and cause operational and reputational damage. The lack of authentication requirement and ease of exploitation over the network increases the threat level, especially in hostile geopolitical contexts where adversaries may seek to disrupt European network infrastructure.

Organizations should prioritize upgrading affected Junos OS and Junos OS Evolved devices to the fixed versions: 22.4R3-S8 or later, 23.2R2-S5 or later, 23.4R2-S6 or later, 24.2R2-S2 or later, and 24.4R2 or later, including EVO variants. Until patches are applied, network administrators should implement strict BGP session filtering and validation to detect and block malformed or suspicious BGP attributes from untrusted peers. Deploying BGP session authentication (e.g., TCP MD5 or TCP-AO) can reduce the risk of unauthorized BGP session manipulation. Monitoring BGP session stability and routing anomalies with network telemetry and alerting systems can provide early detection of exploitation attempts. Network segmentation and limiting BGP peering to trusted partners can further reduce exposure. Additionally, organizations should review incident response plans to address potential routing outages and coordinate with upstream providers and peers to mitigate cascading effects. Regularly reviewing Juniper security advisories and subscribing to threat intelligence feeds will ensure timely awareness of new developments or exploit reports.