Vulnerabilities ›

CVE-2025-59960

High

CWE-754 — Weakness Type

                    Published: Jan 15, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.4

🔗 NVD Official

📄 Description (English)

An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server.

By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in 'forward-only' mode with Option 82, the device should drop the message unless 'trust-option82' is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server's address pool, ultimately leading to address pool exhaustion.

This issue affects Junos OS:

* all versions before 21.2R3-S10,
* from 21.4 before 21.4R3-S12,
* all versions of 22.2,
* from 22.4 before 22.4R3-S8,
* from 23.2 before 23.2R2-S5,
* from 23.4 before 23.4R2-S6,
* from 24.2 before 24.2R2-S2,
* from 24.4 before 24.4R2,
* from 25.2 before 25.2R1-S1, 25.2R2.

Junos OS Evolved:

* all versions before 21.4R3-S12-EVO,
* all versions of 22.2-EVO,
* from 22.4 before 22.4R3-S8-EVO,
* from 23.2 before 23.2R2-S5-EVO,
* from 23.4 before 23.4R2-S6-EVO,
* from 24.2 before 24.2R2-S2-EVO,
* from 24.4 before 24.4R2-EVO,
* from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.

🤖 AI Executive Summary

CVE-2025-59960 is a high-severity DHCP relay vulnerability in Juniper Junos OS that allows attackers to exhaust DHCP address pools across subnets, causing denial of service. The vulnerability stems from improper validation of DHCP Option 82 in forward-only mode, enabling cross-subnet address pool depletion. Patches are available for affected versions, and immediate patching is critical for organizations relying on Juniper DHCP infrastructure.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 4, 2026 20:22

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi telecommunications operators (STC, Mobily, Zain) and large enterprises using Juniper DHCP infrastructure for network management. Banking sector (SAMA-regulated institutions) and government agencies (NCA, CITC) relying on Juniper equipment for critical network services face service disruption risks. Energy sector (ARAMCO, utilities) and healthcare institutions with Juniper-based DHCP relay deployments are vulnerable to address pool exhaustion attacks. The vulnerability enables attackers to disrupt DHCP services across multiple subnets, impacting business continuity and network availability.

🏢 Affected Saudi Sectors

Telecommunications (STC, Mobily, Zain) Banking and Financial Services (SAMA-regulated) Government and Public Administration (NCA, CITC) Energy and Utilities (ARAMCO, regional utilities) Healthcare Large Enterprises with Juniper Infrastructure

🎯 MITRE ATT&CK Techniques

T1498 - Network Denial of Service T1498.001 - Direct Network Flood T1565 - Data Manipulation T1562 - Impair Defenses T1070 - Indicator Removal

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Juniper Junos OS and Junos OS Evolved devices running affected versions (21.2 before R3-S10, 21.4 before R3-S12, all 22.2, 22.4 before R3-S8, 23.2 before R2-S5, 23.4 before R2-S6, 24.2 before R2-S2, 24.4 before R2, 25.2 before R1-S1/R2)

2. Prioritize patching based on criticality: patch DHCP relay devices first, then other affected infrastructure

3. Review DHCP relay configurations to identify 'forward-only' mode deployments

PATCHING GUIDANCE:

1. Apply vendor patches immediately: upgrade to patched versions (21.2R3-S10+, 21.4R3-S12+, 22.4R3-S8+, 23.2R2-S5+, 23.4R2-S6+, 24.2R2-S2+, 24.4R2+, 25.2R1-S1+/R2+)

2. Test patches in non-production environment first

3. Schedule maintenance windows for production deployments

4. Verify DHCP service functionality post-patch

COMPENSATING CONTROLS (if immediate patching not possible):

1. Enable 'trust-option82' configuration on DHCP relay agents to enforce proper Option 82 validation

2. Implement DHCP snooping on access switches to filter invalid DHCP packets

3. Configure DHCP rate limiting to restrict DHCP DISCOVER packets per interface

4. Deploy network segmentation to isolate DHCP relay devices

5. Monitor DHCP pool utilization for anomalous address allocation patterns

DETECTION RULES:

1. Monitor DHCP server logs for rapid address pool depletion across multiple subnets

2. Alert on DHCP DISCOVER packets with Option 82 arriving at relay in forward-only mode

3. Track DHCP lease acquisition rates exceeding baseline thresholds

4. Monitor for DHCP server CPU/memory spikes correlating with address pool exhaustion

5. Implement IDS/IPS signatures detecting malformed DHCP Option 82 packets

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أجهزة Juniper Junos OS و Junos OS Evolved التي تعمل بالإصدارات المتأثرة

2. تحديد أولويات التصحيح بناءً على الأهمية: تصحيح أجهزة DHCP relay أولاً

3. مراجعة تكوينات DHCP relay لتحديد نشرات وضع 'forward-only'

إرشادات التصحيح:

1. تطبيق تصحيحات البائع فوراً: الترقية إلى الإصدارات المصححة

2. اختبار التصحيحات في بيئة غير الإنتاج أولاً

3. جدولة نوافذ الصيانة لنشرات الإنتاج

4. التحقق من وظيفة خدمة DHCP بعد التصحيح

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تفعيل تكوين 'trust-option82' على وكلاء DHCP relay

2. تنفيذ DHCP snooping على مفاتيح الوصول

3. تكوين تحديد معدل DHCP

4. نشر تقسيم الشبكة لعزل أجهزة DHCP relay

5. مراقبة استخدام مجموعة DHCP للأنماط الشاذة

قواعد الكشف:

1. مراقبة سجلات خادم DHCP لاستنزاف سريع لمجموعة العناوين

2. تنبيهات على حزم DHCP DISCOVER مع Option 82

3. تتبع معدلات الحصول على عقود DHCP

4. مراقبة ارتفاع CPU/الذاكرة على خادم DHCP

5. تنفيذ توقيعات IDS/IPS

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Change management procedures ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.3.1 - Segregation of networks

🔵 SAMA CSF

SAMA CSF ID.BE-5.1 - Cybersecurity risk management strategy SAMA CSF PR.IP-12 - Information and records management SAMA CSF DE.CM-1 - Network monitoring SAMA CSF RS.MI-2 - Incident response procedures

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Change management ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Secure development policy ISO 27001:2022 A.8.1.1 - Inventory of assets

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning PCI DSS 12.2 - Configuration standards

🔗 References & Sources 2

🔗

https://kb.juniper.net/JSA103149

sirt@juniper.net

Vendor Advisory

🔗

https://supportportal.juniper.net/

sirt@juniper.net

Permissions Required

📦 Affected Products / CPE 50 entries

juniper:junos

juniper:junos:21.2

juniper:junos:21.4

juniper:junos:22.2

juniper:junos:22.4

📊 CVSS Score

7.4

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Attack VectorA — Adjacent

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.4

CWECWE-754

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-01-15

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-754

🏢 Vendor Advisories

🔗 https://kb.juniper.net/JSA103149

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2025-59960

💬 Comments

Introduce Yourself

Sign In Required