A high-severity vulnerability has been discovered in Juniper Networks Junos OS and Junos OS Evolved, identified as CVE-2025-60004. An unauthenticated attacker on the network can exploit this flaw by sending a specially crafted packet, causing the routing protocol daemon to crash and resulting in a Denial-of-Service (DoS) condition that can disrupt network traffic and lead to outages.

The vulnerability is an Improper Check for Unusual or Exceptional Conditions within the routing protocol daemon (rpd). The rpd process fails to properly handle a specifically crafted, malformed network packet. An unauthenticated attacker with network access to an affected device can send this packet, triggering an unhandled exception that causes the rpd process to crash, leading to a Denial-of-Service. Exploitation does not require any prior authentication, and the attack can be launched remotely.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit will cause a Denial-of-Service, interrupting the routing capabilities of the affected Juniper device. This can lead to significant network outages, disrupting access to critical applications, services, and internet connectivity. The business risks include operational downtime, loss of productivity, potential violation of service level agreements (SLAs), and reputational damage. The impact is most severe for devices acting as core routers or network edge gateways.

Immediate Action: Apply the security updates provided by Juniper Networks to all affected devices immediately. After patching, it is crucial to monitor systems for any signs of post-remediation exploitation attempts and to review system and access logs for any anomalous activity related to the routing protocol daemon.

Proactive Monitoring: Monitor the health of the routing protocol daemon (rpd) process for unexpected crashes or restarts. Network administrators should analyze network traffic for malformed packets targeting routing protocols. Implement alerts within network monitoring systems to detect device unreachability or abnormal routing table fluctuations.

Compensating Controls: If immediate patching is not feasible, implement strict access control lists (ACLs) or firewall rules to limit network access to the device's routing protocol ports. Restricting access to only trusted administrative networks and known BGP peers can significantly reduce the attack surface and mitigate the risk from unauthenticated, external attackers.

Public Exploit Available: false

Given the High severity (CVSS 7.5) and the potential for significant network disruption, we strongly recommend that organizations prioritize the immediate patching of all affected Juniper devices. The risk of a Denial-of-Service attack on core network infrastructure is substantial. If patching must be delayed, the compensating controls outlined above should be implemented as a critical interim measure to protect the network's control plane from external threats.